btca-lazy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill directs the agent to execute bash commands like
btca ask -r <resource> -q "<question>"using strings interpolated from user input. This is vulnerable to shell injection if the agent does not sanitize characters like;,|, or`. - INDIRECT_PROMPT_INJECTION (HIGH): The workflow ingests untrusted data from
btca.config.jsoncin the project root. Evidence: 1. Ingestion: Project root config file. 2. Boundary markers: Absent. 3. Capability: Bash execution. 4. Sanitization: Absent. An attacker could use a malicious repository config to control the agent's tool parameters. - DATA_EXFILTRATION (MEDIUM): The
btca askcommand sends queries to an external source, which may expose local repository context or sensitive user queries to the tool's backend. - DATA_EXPOSURE (MEDIUM): The skill attempts to read
~/.config/btca/btca.config.jsonc, which involves accessing the sensitive home directory configuration area.
Recommendations
- AI detected serious security threats
Audit Metadata