debug
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a high-risk attack surface by processing untrusted external data in an environment with command execution capabilities.\n
- Ingestion points: Untrusted data enters the agent context via application logs (Task 1), SQLite databases (Task 2), and Git history/diffs (Task 3) as described in SKILL.md.\n
- Boundary markers: Absent. There are no instructions or delimiters defined in SKILL.md to distinguish between data and instructions during the investigation.\n
- Capability inventory: The skill utilizes shell commands including
ls,grep,sqlite3,git,ps, andlsof(SKILL.md) to perform its tasks.\n - Sanitization: Absent. No logic exists to sanitize or validate the content retrieved from logs or databases before it is processed by the agent.\n- Data Exposure (HIGH): The skill explicitly instructs the agent to access sensitive system locations.\n
- Evidence: SKILL.md lists
/var/log/as a common location for investigation, which often contains sensitive system information, PII, or security event data.\n- Command Execution (MEDIUM): The skill relies on executing shell commands for its core functionality.\n - Evidence: Step 2 in SKILL.md outlines multiple tasks using
bashandsqlite3to query system and application state. While intended for debugging, this execution capability is easily leveraged if an indirect prompt injection occurs.
Recommendations
- AI detected serious security threats
Audit Metadata