linux-service-triage
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection via the processing of untrusted log data.
- Ingestion points: The skill reads external content via
journalctl,pm2 logs, and Nginx logs (/var/log/nginx/error.log) as defined inreferences/triage-commands.md. - Boundary markers: None. The instructions do not specify any delimiters or warnings for the agent to ignore instructions embedded within the logs.
- Capability inventory: The skill possesses high-impact capabilities including file modification (Nginx configs), permission changes (
chmod/chown), and persistence creation (systemd service units). - Sanitization: No sanitization or validation of log content is mentioned before the agent uses the data to formulate a 'Fix plan'.
- [Privilege Escalation & Persistence] (HIGH): The skill workflow explicitly includes 'Create a systemd service' and 'Fix the permissions'. These are administrative tasks that facilitate persistence (ensuring scripts run on reboot) and privilege escalation (modifying ownership of sensitive paths). If an attacker successfully uses indirect injection to influence these commands, they could gain permanent, high-privilege access to the host.
- [Command Execution] (MEDIUM): The skill is designed to generate and potentially execute sensitive shell commands (systemctl, chmod, nginx -t). While it includes 'Read-only by default' safety warnings, the core functionality relies on high-privilege command generation which can be easily abused if the agent's output is piped to a shell without rigorous human review.
Recommendations
- AI detected serious security threats
Audit Metadata