Skills
skills/muratcankoylan/agent-skills-for-context-engineering/filesystem-context/Gen Agent Trust Hub

filesystem-context

Warn

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The TerminalCapture class in references/implementation-patterns.md utilizes subprocess.run with the shell=True parameter to execute shell commands. This is an insecure practice that can lead to command injection if the command string is constructed from untrusted input.\n- [PROMPT_INJECTION]: The skill's architecture facilitates the ingestion of untrusted data into the agent context, creating a surface for indirect prompt injection.\n
  • Ingestion points: The skill design includes components like SkillLoader, ScratchPadManager, and AgentWorkspace that read content from files and tool outputs into the agent's message history.\n
  • Boundary markers: While the documentation mentions delimiters, the reference code does not implement robust boundary markers to isolate ingested content from instruction strings.\n
  • Capability inventory: The skill possesses significant capabilities, including filesystem operations and arbitrary command execution via terminal tools.\n
  • Sanitization: No sanitization or validation of the ingested content is performed before it is added to the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 23, 2026, 01:30 PM