tilt
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): Vulnerability to indirect prompt injection via ingestion of untrusted external content.
- Ingestion points: The skill retrieves application logs using
tilt logsand resource metadata viatilt get uiresources. This data originates from the application's runtime or project configuration files (Tiltfiles) which may be attacker-controlled in a shared environment or via a malicious PR. - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat log content as data rather than instructions.
- Capability inventory: The skill provides high-impact capabilities including starting/stopping environments (
tilt up,tilt down), triggering updates, and managingtmuxsessions. An attacker could use injected instructions in logs to influence the agent into executing these actions maliciously. - Sanitization: Absent. Data from external sources is passed directly into the agent's context without filtering or escaping.
- COMMAND_EXECUTION (LOW): The skill performs shell command assembly using local environment variables.
- The
tmuxsession management logic usesgit rev-parseandbasenameto derive session names. While variables are quoted, this pattern relies on the integrity of the local filesystem structure and could lead to unexpected behavior if operating on directories with malicious names designed to break shell parsing.
Audit Metadata