Skills
skills/mvanhorn/cli-printing-press/printing-press-reprint/Gen Agent Trust Hub

printing-press-reprint

Warn

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Phase C calculates research age using a dynamic Python command that is vulnerable to injection.
  • Evidence: The skill uses python3 -c with a script template: ts = '$RESEARCHED_AT'.replace(...).
  • Variable Source: The $RESEARCHED_AT variable is populated from a research.json file using jq.
  • Security Concern: Direct interpolation of variables from external files into a script string allows for Python code injection if the input file contains malicious string-closing characters and Python code.
  • [PROMPT_INJECTION]: The skill facilitates the flow of untrusted data from multiple sources into a downstream agent's context.
  • Ingestion Points: User-provided 'reprint reasons' and the contents of the research.json and registry.json files.
  • Boundary Markers: The user context is wrapped in a dedicated block, which helps but does not eliminate injection risks.
  • Capability Inventory: The skill employs Bash for file system operations and the Skill tool to trigger complex downstream logic.
  • Sanitization: There is no evidence of sanitization or filtering for instructions hidden within the research files or the user's freeform input.
  • Security Concern: This creates a surface for Indirect Prompt Injection, where an attacker could influence the 'novel-features' subagent's output by embedding instructions in the input data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 7, 2026, 05:23 PM