watchlist
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Potential shell command injection in
SKILL.md. The skill executes a Python script by directly interpolating user-provided arguments into a bash command string:python3 .../manage_watchlist.py $ARGUMENTS. This pattern is highly susceptible to injection if the agent's execution environment does not properly sanitize or escape the$ARGUMENTSvariable. - [DATA_EXFILTRATION]: Path traversal vulnerability in
scripts/manage_watchlist.py. Thenameargument is used to construct file paths usingos.path.join(WATCHLIST_DIR, f"{name}.json")without any sanitization. An attacker could use../sequences to read existing JSON files or overwrite files in other directories with JSON-formatted data. - [DATA_EXFILTRATION]: Exposure of local environment metadata. The
SKILL.mdfile contains a hardcoded absolute path (/Users/kikuchihiroyuki/...) that reveals the specific system username of the author or environment owner. - [PROMPT_INJECTION]: The skill processes untrusted user input which is then persisted to the filesystem, creating an attack surface for indirect prompt injection.
- Ingestion points: User-provided
nameandsymbolsarguments passed viasys.argvtomanage_watchlist.py. - Boundary markers: None. Input is processed and stored directly.
- Capability inventory: The script has the capability to read and write files and is executed via a shell tool.
- Sanitization: There is no validation or sanitization of input strings before they are used in path construction or file writes.
Recommendations
- AI detected serious security threats
Audit Metadata