stats
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
curlutility to communicate with the Lab Nocturne API and usesechoto read environment variables.\n- [EXTERNAL_DOWNLOADS]: The skill fetches dynamic content, including a temporary API key and usage statistics, from theimages.labnocturne.comdomain at runtime.\n- [CREDENTIALS_UNSAFE]: The skill instructions require accessing the$LABNOCTURNE_API_KEYenvironment variable to authenticate API requests.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes and displays data from an external API without sanitization.\n - Ingestion points: Usage data is ingested from the JSON response of
https://images.labnocturne.com/stats.\n - Boundary markers: No delimiters or instructions are used to separate the external data from the agent's core instructions.\n
- Capability inventory: The skill has the ability to execute shell commands via
curl.\n - Sanitization: The skill directly extracts and displays values from the external JSON response without validation.
Audit Metadata