gsp-add-reference
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash command
mkdir -p {PROJECT_PATH}/referencesin SKILL.md uses string interpolation for a path derived from scanned directory names. If a directory name contains shell metacharacters (e.g., semicolons or backticks), it could lead to arbitrary command execution. Mitigation: Use safe path joining and filesystem APIs instead of shell interpolation. - [EXTERNAL_DOWNLOADS]: The skill fetches content from user-provided URLs in Step 3 of SKILL.md. This can be exploited for Server-Side Request Forgery (SSRF) to access internal metadata services or probe the local network. Mitigation: Restrict fetching to specific domains and validate URLs before processing.
- [PROMPT_INJECTION]: The skill creates a surface for Indirect Prompt Injection.
- Ingestion points: The skill fetches content from external URLs and reads local files to create reference materials (found in SKILL.md).
- Boundary markers: Absent; content is stored and used as context without delimiters or instructions for agents to disregard embedded commands.
- Capability inventory: The skill and its downstream consumers (design, build, research agents) use
Bash,Write, andReadtools. - Sanitization: Absent; the skill does not filter or sanitize malicious instructions found in reference content.
- Downstream Impact: Reference content is explicitly passed to high-capability agents as trusted context, allowing an attacker to influence the build or design phases through a malicious webpage or file. Mitigation: Enclose reference data in unique delimiters (like XML tags) with explicit instructions for the agent to treat the content strictly as data.
Audit Metadata