printing-press-retro
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: Uploads packaged session data and CLI source code to catbox.moe via curl in references/artifact-packaging.md. This is a non-whitelisted domain used for public file hosting, which can lead to the exposure of sensitive logs and intellectual property.
- [PROMPT_INJECTION]: Ingests untrusted data from manuscript files (research briefs, logs, proofs) to populate GitHub issue titles and bodies. This creates an indirect prompt injection surface.
- Ingestion points: Read operations in SKILL.md Phase 1 target files in $RUN_DIR and $CLI_DIR.
- Boundary markers: The instructions lack explicit delimiters or instructions to ignore embedded commands within the ingested data.
- Capability inventory: The skill can execute shell commands via Bash, make network requests via curl, and create issues via the gh CLI.
- Sanitization: Redaction is performed for credentials in references/secret-scrubbing.md, but the content is not sanitized for malicious instructions before being used in GitHub issue templates.
- [COMMAND_EXECUTION]: Dynamically generates and executes python3 and perl commands for secret redaction and HAR file processing in references/secret-scrubbing.md. While these are used for redaction, executing code assembled from string concatenation at runtime is a risk factor.
- [EXTERNAL_DOWNLOADS]: Performs network uploads to the external service catbox.moe using curl.
Audit Metadata