work-tracking
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Prompt Injection (HIGH): The
README.mdandSKILL.mdfiles employ strong override language (e.g., 'CRITICAL: WORK TRACKING IS NON-NEGOTIABLE', 'NO EXCEPTIONS', 'MANDATORY SEQUENCE'). This pattern attempts to hijack the agent's system instructions and force specific behaviors, which is a common characteristic of prompt injection/bypass attacks. - Command Execution (HIGH): The included shell scripts contain significant security flaws:
- In
work-create.sh, the use of an unquoted Here-Doc (<<EOF) allows for command substitution. If a user provides a task name containing$(...)or`...`, the shell will execute those commands when the script runs. - The variable
$nameis used directly in file paths and script arguments without sanitization, leading to potential path traversal or argument injection if the task name contains characters like;,&, or... - External Downloads (MEDIUM): The documentation directs users to install the skill by fetching files from a third-party GitHub repository (
mohammed-io/agentic-ai-tools) that is not on the 'Trusted External Sources' list. - Indirect Prompt Injection (HIGH): This skill creates a high-risk attack surface by processing untrusted user input (task descriptions) and passing it directly to shell scripts with broad execution capabilities.
- Ingestion points: User-provided task names in
SKILL.md(Step 3). - Boundary markers: None identified.
- Capability inventory:
Bash,Write,Edit, andGlobtools are enabled, allowing the agent to execute the vulnerable scripts and modify the filesystem. - Sanitization: None. The scripts do not escape or validate the
task_nameinput before use in shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata