sops-decrypt
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates shell commands using variables derived from the local file system, such as
sops --decrypt <file>.enc.yaml. This interpolation of workspace-derived file names into a shell context is a potential command injection vector if the names contain malicious shell characters. - [COMMAND_EXECUTION]: The workflow executes Python scripts located in a relative path outside the current skill directory (
../sops-setup/scripts/). While these are vendor-owned resources, the execution of external scripts is a significant capability. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes content from
.enc.yamlfiles within the workspace. - Ingestion points: Data enters the agent context through encrypted YAML files found in the project root.
- Boundary markers: No specific delimiters or instructions to ignore embedded content are provided in the decryption workflow.
- Capability inventory: The skill has access to shell execution (
sops), file deletion (rm), and script execution (python3). - Sanitization: The workflow does not explicitly describe sanitization or validation of the decrypted content before further processing or conversion.
- [SAFE]: The skill implements security best practices by verifying encryption key presence before operation and instructing users to exclude decrypted secrets from version control using
.gitignore.
Audit Metadata