gcs-lifecycle-policy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect injection because it processes untrusted data from GCP environments (bucket names, metadata, policy configurations) and has broad write/execute capabilities via the
Bash(gcloud:*)tool. An attacker who can influence GCP resource metadata could potentially trick the agent into executing unauthorized commands. - Ingestion points: GCP API outputs and user-provided bucket/policy names (SKILL.md).
- Boundary markers: Absent. There are no instructions to ignore embedded commands in data.
- Capability inventory: Powerful
Bash(gcloud:*)tool capable of modifying IAM, deleting resources, or exfiltrating data. - Sanitization: Absent. No filtering or validation of GCP output is defined.
- [Command Execution] (MEDIUM): The skill requests
Bash(gcloud:*)permission. Using a wildcard for gcloud allows the agent to execute any command in the SDK, which violates the principle of least privilege given the skill's stated purpose is limited to lifecycle policies. - [No Code] (INFO): The skill consists entirely of metadata and documentation with no internal scripts or verifiable logic, making its actual behavior entirely dependent on the underlying model's interpretation and safety filters.
Recommendations
- AI detected serious security threats
Audit Metadata