ship
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill explicitly directs the agent to 'Execute each step
- Or provide commands to execute' during the shipping phase. Evidence in 'Example 3' shows the agent running shell commands like 'pio run' and 'pio device monitor' on the host system. This allows for arbitrary code execution based on the agent's reasoning.
- [PROMPT_INJECTION] (HIGH): This skill is highly susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data and possesses write/execute capabilities.
- Ingestion points: PR descriptions, CI/CD configuration files (YAML, pipeline definitions), and local session files in '.oh/'.
- Boundary markers: Absent. There are no instructions to delimit external content or ignore instructions embedded within processed data.
- Capability inventory: Arbitrary subprocess execution (shell commands), file system modification (writing session files), and CI/CD pipeline triggers (GitHub Actions, etc.).
- Sanitization: Absent. The skill does not require validation or escaping of external content before it is used to determine 'Ship Actions' or 'Verification' steps.
- [DATA_EXFILTRATION] (MEDIUM): The skill requires the agent to read sensitive CI/CD configurations and build definitions. While it doesn't contain exfiltration code, the capability to read these files combined with the intent to 'report status' to external PRs creates an exposure risk for secrets contained in build logs or YAML files.
Recommendations
- AI detected serious security threats
Audit Metadata