safe-build-operations
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The allowed tool
Bash(make:*)provides unrestricted access to any target defined in a Makefile. Makefiles are capable of executing arbitrary shell commands, meaning the agent has high-privilege execution capabilities on the host system. - [REMOTE_CODE_EXECUTION] (HIGH): If the agent interacts with external code repositories (e.g., via the
ReadandGlobtools), an attacker can perform indirect prompt injection by placing malicious commands in a Makefile. When the agent attempts to 'build' the project, it will execute the attacker's code. - [INDIRECT_PROMPT_INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points: Reads project files using
Read,Glob, andGreptools (SKILL.md). - Boundary markers: None identified. There are no instructions to ignore embedded commands within the files being processed.
- Capability inventory:
Bash(make:*)andBash(idf.py:*)provide the ability to execute complex build scripts and subprocesses. - Sanitization: None. The skill does not validate the content of the Makefiles before passing them to the system shell via
make. - [METADATA_POISONING] (MEDIUM): The skill's name and description ('safe-build-operations', 'Safely execute...', 'Prevents dangerous operations') are self-referential safety claims that may mislead the agent or an auditor into assuming technical constraints exist when only instructions are present.
Recommendations
- AI detected serious security threats
Audit Metadata