trace-analysis
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in SKILL.md direct the agent to execute shell commands using a local Node.js script: node <path_to_the_skill>/scripts/trace_processor_api.mjs "<path_to_ptrace_file>" "". This pattern directly interpolates user-controlled data into a shell command, creating a surface for command injection if the agent or the script fails to sanitize the file path or SQL input.- [REMOTE_CODE_EXECUTION]: The skill enables dynamic code execution by allowing the user to provide arbitrary SQL queries that are subsequently executed via the shell-based Node.js wrapper. This creates a high-risk surface where a malicious user could attempt to break out of the SQL context into the shell context.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted external trace files (.ptrace). Maliciously crafted metadata or event names within these files could be interpreted as instructions when the agent parses and reports the results.
- Ingestion points: Reads and processes user-provided .ptrace files and accepts arbitrary SQL queries from the user (referenced in SKILL.md).
- Boundary markers: None. There are no instructions for the agent to use delimiters or to disregard potential instructions embedded within the trace data or SQL output.
- Capability inventory: The agent is authorized to execute shell commands (node) to interact with the trace processor (referenced in SKILL.md).
- Sanitization: None. The skill does not define any validation or escaping mechanisms for the user-supplied paths or SQL strings before they are used in shell commands.
Audit Metadata