keycloak
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill documentation includes hardcoded default credentials ('username=admin' and 'password=admin') in an example curl command for token retrieval. While intended for development, this promotes unsafe credential practices.
- [COMMAND_EXECUTION] (LOW): The skill utilizes powerful system tools including 'Bash' and 'docker exec' to perform administrative tasks like exporting realms and starting services. These tools provide a direct path to host or container compromise if abused.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Processes data from the Keycloak Admin REST API (e.g., user lists, client configurations) and OIDC discovery endpoints via 'WebFetch' and 'curl'.
- Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the processed data.
- Capability inventory: Access to 'Bash', 'Write', 'Edit', and 'docker exec' allows for significant system side effects.
- Sanitization: No sanitization or validation of the ingested API data is specified before the agent processes it. The capability to execute commands based on potentially attacker-controlled user or client metadata constitutes a high-risk surface.
Recommendations
- AI detected serious security threats
Audit Metadata