Skills
skills/kortix-ai/kortix-registry/presentations/Gen Agent Trust Hub

presentations

Warn

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The serve.ts file implements a custom HTTP server with a path traversal vulnerability in its image-serving route. The code explicitly handles parent directory references (.. and %2E%2E) but fails to sanitize the resulting path before joining it with the base directory. This could allow an attacker to read arbitrary files on the host system by using crafted requests like http://localhost:3210/../images/../../etc/passwd to traverse outside the intended workspace.
  • [COMMAND_EXECUTION]: The skill workflow involves executing shell commands for asset management. It instructs the agent to use curl to download external images and uses execSync within the serve.ts script to launch system-level browser processes (open, xdg-open, start) based on the operating system.
  • [EXTERNAL_DOWNLOADS]: The skill performs automated downloads of images from external, unverified URLs identified during the research phase using curl. This involves connecting to non-whitelisted domains based on dynamic search results.
  • [PROMPT_INJECTION]: The skill defines an 'Autonomy Doctrine' instructing the agent to 'Act, don't ask' and explicitly forbids permission requests. This is a form of behavior override that attempts to bypass the standard human-in-the-loop safety model and user confirmation guardrails.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection as it scrapes external web content (via web-search and scrape-webpage) and interpolates it into HTML slides and tool parameters without sanitization.
  • Ingestion points: Web search and webpage scraping results processed in Phase 2 and Phase 3 of the SKILL.md workflow.
  • Boundary markers: Absent; no delimiters or 'ignore instructions' warnings are used when interpolating scraped content into tool calls.
  • Capability inventory: Shell execution (curl), tool-based file writing (presentation-gen), and local server execution (serve.ts).
  • Sanitization: Absent; content is used directly in HTML generation and potentially in shell command construction.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 3, 2026, 08:36 AM