security-auditor
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'Steering System' that mandates reading untrusted external files as authoritative project memory.
- Ingestion points: The agent is required to read
steering/structure.md,steering/tech.md, andsteering/product.mdbefore performing any tasks. - Boundary markers: Absent. The skill instructions do not provide delimiters or warnings to the agent to treat content within these files as data rather than directives.
- Capability inventory: The skill has access to
Bash,Read,Grep, andGlobtools, enabling a wide range of actions if the agent follows malicious instructions embedded in the steering files. - Sanitization: Absent. There is no evidence of validation or sanitization of the content read from these files.
- Automated Alert: Automated scans identified a malicious URL within
product.md, which the skill is instructed to read as mandatory context. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute security scans, testing commands, and remediation tasks. While necessary for its role, this capability can be exploited to run arbitrary commands if the agent is influenced by malicious input through its data ingestion surfaces. - [EXTERNAL_DOWNLOADS]: The skill instructions suggest downloading and using external security scanners (e.g.,
Snyk,Trivy,OWASP ZAP) and usescurlto test endpoints, which involves network connections to external resources.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata