delayed-command
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to execute arbitrary Bash commands provided via the
commandargument. It uses the patternsleep <seconds> && <command>without any validation or sanitization, allowing for the execution of any system command. - [REMOTE_CODE_EXECUTION] (HIGH): The direct execution of unvalidated user/LLM input in a shell environment constitutes a remote code execution vulnerability if the agent is manipulated into running malicious payloads.
- [DATA_EXFILTRATION] (MEDIUM): Arbitrary command execution can be leveraged to read sensitive local files (e.g., ~/.ssh/id_rsa) and exfiltrate them via network commands like
curlorwget. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill presents a vulnerability surface for indirect prompt injection. 1. Ingestion points: The
commandargument inSKILL.md. 2. Boundary markers: Absent. The input is interpolated directly into a shell command string. 3. Capability inventory: Full Bash shell execution including subprocess spawning and background tasks. 4. Sanitization: Absent. No filtering or validation is performed on the input string before execution.
Recommendations
- AI detected serious security threats
Audit Metadata