local-approvals
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's workflow depends on human review of strings provided by other (potentially untrusted) agents. Ingestion points: In core.py, the submit_request function accepts operation and reasoning as arbitrary string arguments from any calling agent. Boundary markers: No delimiters or warnings are used to isolate untrusted agent input from the user's view. Capability inventory: The skill manages security decisions. Approving a request with the --learn flag (invoking core.py:learn_category) permanently modifies state.json to auto-approve future requests in that category. Sanitization: There is no logic to verify that the reasoning accurately describes the operation, or to sanitize these strings for injection attacks. Impact: An attacker could craft a reasoning field that sounds benign for a malicious action, leading to privilege escalation if the user approves and 'learns' the category.
- Metadata Consistency (LOW): The SKILL.md documentation contains hardcoded absolute paths (e.g., C:\Users\Shai\...) which are specific to the author's environment and may cause the tool to fail or mislead users on other platforms.
- Missing Files (INFO): The primary entry point cli.py referenced in the documentation is not included in the source code, though the core logic is present in core.py.
Recommendations
- AI detected serious security threats
Audit Metadata