download-docs
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Shell command injection vulnerability. The skill extracts
{config_name}and{version}directly from user-provided$ARGUMENTSand interpolates them into several shell commands without sanitization or validation. - Evidence:
cat vault/configs/{config_name}.jsonandbash -c 'source ... && download_from_github ... "{version}"'. - [COMMAND_EXECUTION]: Path traversal vulnerability. The use of user-controlled variables in file paths allows an attacker to access or manipulate files outside the intended
vault/directory using../sequences. - Evidence:
cat vault/configs/{config_name}.jsoncan be manipulated to read arbitrary system files if the agent has permissions. - [PROMPT_INJECTION]: Indirect prompt injection surface during the file filtering stage.
- Ingestion points: In Step 5, the agent reads the first 20-30 lines of markdown files (
.md,.mdx) downloaded from external GitHub repositories or URLs. - Boundary markers: Absent. The skill description does not specify the use of delimiters or instructions to the agent to disregard instructions found within the downloaded content.
- Capability inventory: The skill has the ability to delete files (
rm) and directories (find -delete) and execute local shell scripts viabash -c. - Sanitization: Absent. The agent is instructed to evaluate raw content from external files to make decisions about which files to delete.
Recommendations
- AI detected serious security threats
Audit Metadata