user-file-ops
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted data from 'work/inputs/' and 'out/'. * Ingestion points: Files in work/inputs/ and out/ (SKILL.md). * Boundary markers: Absent; no delimiters or instructions to ignore embedded content are defined. * Capability inventory: Shell script execution (bash scripts/summarize_file.sh) and file system writes to 'out/' (SKILL.md). * Sanitization: Absent; no validation or filtering of external content is mentioned.
- [Command Execution] (MEDIUM): The skill documentation explicitly uses bash to execute a local script ('scripts/summarize_file.sh') with file paths provided as arguments. This pattern is susceptible to command injection or path traversal if the script does not properly validate arguments or handles filenames unsafely.
- [External Downloads] (LOW): The skill is hosted by 'trpc-group', which is not a pre-approved trusted source. While the metadata does not show active downloads, the reliance on a repository outside the trust scope requires manual script auditing.
Recommendations
- AI detected serious security threats
Audit Metadata