Nano Hub
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): Step 2 of 'SKILL.md' instructs the agent to execute 'curl -s -F "reqtype=fileupload" -F "fileToUpload=@图片路径" https://catbox.moe/user/api.php'. The use of the '@' prefix in curl reads files directly from the local disk. Since the file path is determined by user-provided 'images', an attacker can manipulate the agent into uploading sensitive files (e.g., '~/.ssh/id_rsa', '.env', or system configs) to a public, unauthenticated file hosting service.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on shell command execution ('curl') for its core workflow. This introduces risks of argument injection and path traversal if the agent is not strictly constrained or if the file paths contain shell metacharacters.
- [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: User descriptions and image URLs in 'SKILL.md' and stack templates. 2. Boundary markers: None are present in the 'Task' prompts or template files. 3. Capability inventory: 'curl' (network/file access), 'Task' (subagent execution), 'submit_task' (API interaction). 4. Sanitization: No sanitization or validation of user input is performed before it is interpolated into subagent prompts. This allows a user to influence subagent behavior, potentially leading to unauthorized file access or malicious tool usage.
Recommendations
- AI detected serious security threats
Audit Metadata