project-health
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
references/permission-presets.mdfile defines extremely broad allow-lists for bash commands, including sensitive system utilities (rm, kill, systemctl) and privilege escalation tools (sudo, chmod, chown). These are intended for auto-approval in the agent's configuration, significantly reducing the security boundaries of the environment. - [DATA_EXFILTRATION]: The skill configuration enables broad access to network tools such as curl, wget, ssh, scp, and rsync, combined with recursive read access to the local /tmp directory. This provides a functional capability for exfiltrating sensitive local files to remote servers.
- [REMOTE_CODE_EXECUTION]: The skill instructions in
SKILL.mdexplicitly direct sub-agents to dynamically generate and execute Python scripts from the.jez/scripts/directory for complex analysis tasks, which constitutes a dynamic code execution pattern. - [PROMPT_INJECTION]: The skill processes untrusted repository files and conversation history without sanitization or boundary markers, creating an attack surface for indirect prompt injection that could influence configuration generation. Ingestion points: Scans project files and conversation history; Boundary markers: Absent in sub-agent prompts; Capability inventory: High (file writes, script generation, network-enabled bash); Sanitization: No sanitization of ingested content is described.
Audit Metadata