skill-feedback
Fail
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow in SKILL.md Step 5 performs shell command execution using the gh CLI. It directly interpolates user-controlled variables like skill_name, summary, and rendered issue body into the command string. Without proper shell escaping or sanitization, an attacker can provide input containing shell metacharacters (e.g., backticks, semicolons) to execute arbitrary commands on the host system.
- [DATA_EXFILTRATION]: The skill instructs the agent to access and utilize a private key located at ~/.config/ol-skill-feedback/private-key.pem to generate tokens for anonymous issue posting. Referencing and interacting with private keys is a high-risk activity that could lead to the exposure or exfiltration of sensitive credentials if the agent's context is compromised.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted user feedback (observed_output, expected_output) and passes it to high-privilege shell operations. There are no boundary markers or sanitization logic present to prevent embedded instructions from manipulating the resulting shell commands. Evidence: 1. Ingestion points: User parameters and skill output history. 2. Boundary markers: Absent. 3. Capability inventory: Shell execution of gh and python3. 4. Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata