btca-eager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes the shell command
btca ask -r <resource> -q "<question>". Both the resource name and the question are derived from untrusted sources (project-level config files and user input). A malicious question (e.g.,"; touch /tmp/pwned #") or a malicious config file could lead to arbitrary command execution. - [PROMPT_INJECTION] (MEDIUM): The instructions explicitly tell the agent to act "automatically" and "without prompting the user". This removes critical human-in-the-loop safety checks, increasing the risk that a malicious prompt could trigger dangerous actions without oversight.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is vulnerable to data-driven attacks through its ingestion process.
- Ingestion points: Reads
btca.config.jsoncfrom the current project root and accepts arbitrary strings for the<question>parameter. - Boundary markers: None. Input is directly interpolated into a shell command.
- Capability inventory: Executes subprocesses/shell commands via the
btcabinary. - Sanitization: None mentioned. The skill assumes the config file and user input are safe to use as CLI arguments.
- [DATA_EXPOSURE] (MEDIUM): The skill accesses
~/.config/btca/btca.config.jsonc. If an attacker can influence theresourceselection via a local config file, they could potentially trick the agent into sending sensitive data from the home directory to an attacker-controlled btca resource.
Recommendations
- AI detected serious security threats
Audit Metadata