websh
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It fetches untrusted HTML from external URLs and passes it to a background subagent for extraction. An attacker could embed instructions in a webpage to hijack the subagent. 1. Ingestion points: Web content fetched from any URL via the 'cd' command and processed in 'state/cache.md'. 2. Boundary markers: Absent. The 'EXTRACTION_PROMPT' does not use delimiters or instructions to ignore commands within the source HTML. 3. Capability inventory: The system can write to the local filesystem ('.websh/' directory) and spawn background tasks via the 'Task' abstraction. 4. Sanitization: No sanitization is performed on the HTML content before it is processed by the AI subagent.
- [Prompt Injection] (MEDIUM): The 'SKILL.md' file contains instructions that direct the agent to 'infer intent' and 'just execute' without asking for clarification, which bypasses typical safety confirmation protocols.
- [COMMAND_EXECUTION] (LOW): The initialization process uses shell commands ('mkdir', 'touch', 'echo') to set up the local workspace. While names are slugified, this represents an active file-system modification surface.
- [EXTERNAL_DOWNLOADS] (LOW): The skill fetches content from any user-provided URL as its primary function.
Recommendations
- AI detected serious security threats
Audit Metadata