mz-debug-ci
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly requires setting
dangerouslyDisableSandbox: truefor all Bash commands to allow theghandbkCLI tools to perform network operations. This configuration removes default security boundaries and increases the risk profile of all subsequent operations. - [COMMAND_EXECUTION]: There is a potential command injection vulnerability in Step 2. The PR number parsed from
$ARGUMENTSis directly interpolated into shell commands such asgh pr view <PR_NUMBER>. If the agent fails to strictly validate that the input is a numeric ID or a valid URL, a malicious user could provide shell metacharacters (e.g.,;,&,|) to execute arbitrary commands in an unsandboxed environment. - [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface (Category 8):
- Ingestion points: The skill fetches raw job logs (
bk job log) and build annotations (bk api .../annotations) from the external Buildkite CI environment (SKILL.md). - Boundary markers: There are no instructions or delimiters provided to the agent to treat this external content as untrusted or to ignore instructions embedded within the logs.
- Capability inventory: The agent has the capability to execute shell commands with the sandbox disabled (
dangerouslyDisableSandbox: true) across all scripts. - Sanitization: No sanitization, filtering, or validation is performed on the CI logs or annotations before the agent processes them.
- Risk: An attacker could craft a PR that generates specific log output containing malicious instructions. If the agent processes these logs while debugging, it may follow the embedded instructions, potentially resulting in the exfiltration of environment variables or sensitive local files accessible due to the disabled sandbox.
Audit Metadata