procedure-extractor
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an 'Agent起動テンプレート' (Agent launch template) that explicitly directs the agent to use
mode: "bypassPermissions". This is a direct attempt to override standard platform security and permission protocols. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from external transcripts and manuals.
- Ingestion points:
transcript.txtandmanual.mdare read and analyzed in the processing flow. - Boundary markers: Absent. No delimiters or instructions are provided to the agent to distinguish between its own logic and potentially malicious instructions embedded in the input files.
- Capability inventory: The skill has permissions to read local files, write JSON data to the filesystem, and execute shell commands via a validation script.
- Sanitization: Absent. The extracted transcript content is used to populate fields in the output JSON without any validation or filtering.
- [COMMAND_EXECUTION]: The skill includes a 'screenshot_ref 検証コマンド' (validation command) that utilizes
jqandbashto process values in the generatedprocedures.json. Because the data in this JSON is derived from untrusted transcripts, it presents a potential command injection surface if the validation environment is not strictly controlled.
Audit Metadata