finops-overview
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The execution command in SKILL.md passes the $ARGS variable to a shell script without quotation: bash "${SKILL_DIR}/scripts/billing-summary.sh" $ARGS. This allows a user or a malicious prompt to inject arbitrary shell commands by including characters such as semicolons, pipes, or backticks in the input parameter.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection.
- Ingestion points: The script scripts/billing-summary.sh retrieves external data (workflow names) from the GitHub API via gh api.
- Boundary markers: Absent. The workflow names are printed directly to the output without delimiters or instructions to the agent to treat the data as untrusted.
- Capability inventory: The skill allows the use of Bash(bash *) and TodoWrite, which provide a significant attack surface if the agent is manipulated by injected instructions.
- Sanitization: Absent. Data is extracted via jq and displayed without any filtering or escaping of potential instructions.
- [COMMAND_EXECUTION]: The scripts/billing-summary.sh script lacks validation for the org and repo arguments. Although variables are quoted within the script's internal gh api calls, an attacker could provide values that cause API path traversal or include CLI flags that modify the behavior of the GitHub client tool.
Recommendations
- AI detected serious security threats
Audit Metadata