astro-cta-injector
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerability to Indirect Prompt Injection. The skill ingests untrusted blog content (Astro/Markdown) and displays it to the agent via
scripts/preview_injection.pywithout sanitization or boundary markers. Malicious instructions embedded in blog posts could hijack the agent's behavior during the injection process. Evidence: Ingestion point isscripts/preview_injection.pyviaopen().read(); Boundary markers and sanitization are absent; Capability includes file system modification viainject_ctas.py. - COMMAND_EXECUTION (MEDIUM): Core scripts
score_posts.pyandinject_ctas.pyare referenced in the workflow but their source code is missing. Their absence prevents verification of the file-modification logic and claimed safety features like backups and rollbacks. - COMMAND_EXECUTION (LOW): The skill uses brittle dynamic path manipulation (
sys.path.insert) to import modules from a directory four levels above the skill root. These dependencies (config_loader,utils) are external and unverifiable.
Recommendations
- AI detected serious security threats
Audit Metadata