investment-note
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
SKILL.mdfile passes the$ARGUMENTSvariable directly into a bash command string. This allows for potential command injection if shell metacharacters (such as semicolons, backticks, or pipes) are included in the input provided to the agent. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1. Ingestion points: The
savecommand inscripts/manage_note.pyaccepts unsanitized text via the--contentargument. 2. Boundary markers: None are used when displaying notes; content is printed directly into a markdown table. 3. Capability inventory: The skill hasBashexecution privileges via the python3 tool. 4. Sanitization: There is no validation or sanitization to ensure that note content does not contain instructions that could hijack the agent's logic. - [COMMAND_EXECUTION]: The Python script
scripts/manage_note.pydynamically alters the module search path usingsys.path.insertwith a computed path based on the file location, which could be exploited to load malicious modules if the directory structure is manipulated.
Audit Metadata