finops-overview
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Potential shell command injection vulnerability in SKILL.md. The execution instruction
bash "${SKILL_DIR}/scripts/billing-summary.sh" $ARGSuses an unquoted variable for user-supplied arguments. An attacker providing anorgargument containing shell metacharacters (e.g.,;,|,$(...)) could execute arbitrary commands on the host system. - [COMMAND_EXECUTION]: Use of dynamic context injection via
!git remote get-url origin`` in SKILL.md. This command is executed automatically at skill load time to retrieve the repository's origin URL without explicit user confirmation. - [DATA_EXFILTRATION]: Extraction of sensitive infrastructure metadata. The script
scripts/billing-summary.shusesgh apito retrieve organization-level billing information (total and paid minutes) and cache usage statistics, which are then exposed in the agent's output. - [PROMPT_INJECTION]: Vulnerability to indirect prompt injection through external data. 1. Ingestion points: Workflow names and run conclusions retrieved from the GitHub API in
scripts/billing-summary.sh. 2. Boundary markers: Absent when outputting processed data to the agent. 3. Capability inventory: Broad shell access viaBash(bash *)and file writing viaTodoWrite. 4. Sanitization: The script usesjqfor data extraction, which provides structural safety, but it does not sanitize or escape the content of the strings before they are incorporated into the agent's context.
Audit Metadata