prompt-generator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (CRITICAL): Shell Command Injection vulnerability in the 'Output and Save' step. The skill instructs the agent to execute
echo "<generated_prompt>" | python scripts/save_prompt.py <project_root> <phase_number> <phase_name>. Since<generated_prompt>,<project_root>, and<phase_name>are constructed from user-provided input without sanitization, an attacker can inject shell metacharacters (e.g.,;,&,|, or backticks) to execute arbitrary commands. - Evidence (SKILL.md):
echo "<generated_prompt>" | python scripts/save_prompt.py <project_root> <phase_number> <phase_name> - [REMOTE_CODE_EXECUTION] (CRITICAL): The command injection vulnerability mentioned above directly facilitates Remote Code Execution (RCE), as the agent executes shell-level instructions on the host machine.
- [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The skill's core function is to generate instructions for downstream subagents.
- Ingestion points: Processes user-provided variables like
PHASE_NAMEandPHASE_DOC_PATHand readsreferences/implementation-prompt-template.md. - Boundary markers: Absent. The template uses simple curly-brace interpolation (
{PLACEHOLDER}), which does not prevent malicious instructions in the input from overriding the template's intent. - Capability inventory: Possesses file-writing capabilities and local script execution (
scripts/save_prompt.py). - Sanitization: None. The skill blindly interpolates user input into a prompt that directs orchestration logic, allowing an attacker to hijack the behavior of subsequent agent sessions.
Recommendations
- AI detected serious security threats
Audit Metadata