nextcloud-admin
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill generates shell-based
curlcommands using variable interpolation for file paths, filenames, and user IDs (e.g.,curl ... "$NEXTCLOUD_URL/.../$filename"). If these values are retrieved from the Nextcloud server (viaPROPFINDor user listings) and contain shell metacharacters such as backticks or semicolons, it could result in arbitrary command execution on the host environment. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Data enters the agent's context through file listings (PROPFIND), file content downloads (GET), and user metadata queries in
SKILL.mdandreferences/api-reference.md. - Boundary markers: There are no instructions or delimiters provided to ensure the agent ignores instructions potentially embedded within the downloaded files or server metadata.
- Capability inventory: The skill has the capability to execute shell commands (
curl), write to the local file system (curl -o), and perform network operations. - Sanitization: There is no evidence of sanitization or validation of the data retrieved from the server before it is used in logic or displayed to the user.
- [DATA_EXFILTRATION]: The skill handles highly sensitive credentials (
NEXTCLOUD_TOKENandNEXTCLOUD_ADMIN_TOKEN) and transmits them via Basic Auth. While necessary for the skill's function, an attacker who controls a Nextcloud instance or can influence theNEXTCLOUD_URLcould capture these administrative tokens. - [CREDENTIALS_UNSAFE]: The documentation and reference files contain hardcoded example passwords (e.g.,
SuperSecret123,SecurePass123,SecurePass123). Although these appear to be placeholders, the use of specific strings rather than generic markers (like<password>) is a poor security practice.
Audit Metadata