fix-decision-router
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Option 8 ('Other') instructs the agent to 'Prompt for custom action and execute'. When combined with the 'Bash' tool listed in 'allowed-tools', this creates a high-risk vector for arbitrary command execution on the host system.
- [REMOTE_CODE_EXECUTION] (HIGH): Option 5 ('Create new skill') allows for the creation of new directories and 'SKILL.md' files within the 'plugins/' directory. This allows for the dynamic creation of executable agent code that could be used to introduce malicious logic into the agent's environment.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes data from external files without sanitization.
- Ingestion points: Content is read from the file path provided in the 'doc_path' input and appended to other system files (e.g., 'critical-patterns.md').
- Boundary markers: None. The skill extracts and formats content (WRONG vs CORRECT) without using delimiters to prevent embedded instructions from being interpreted as commands.
- Capability inventory: The skill has 'Bash', 'Write', and 'Edit' permissions, allowing it to modify core agent configuration and knowledge files.
- Sanitization: No sanitization or validation is performed on the extracted documentation before it is written to new or existing skills.
Recommendations
- AI detected serious security threats
Audit Metadata