debug
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates unvalidated user input into a shell command, allowing for potential arbitrary command execution.
- Evidence: The skill uses the pattern
codex exec "DEBUG: $SYMPTOMS. ...". Since$SYMPTOMSis populated from user input and placed inside double quotes in a shell execution context, an attacker can use shell metacharacters or command substitution (e.g.,$(touch /tmp/pwned)) to execute commands on the host system. - [DATA_EXFILTRATION]: The instructions direct the agent to gather potentially sensitive system information.
- Evidence: Under the 'What's the environment?' section, the skill explicitly instructs the agent to gather 'Environment variables'. This frequently includes secrets such as API keys, database credentials, and session tokens, which are then passed into the agent context and potentially to the external
codextool. - [PROMPT_INJECTION]: The skill lacks sufficient boundary markers when processing external data.
- Evidence: Both
$ARGUMENTSand$SYMPTOMSare interpolated into the prompt and external tool commands without XML tags, triple-backticks, or 'ignore embedded instructions' warnings. This makes the agent susceptible to following malicious instructions embedded within the reported bug symptoms.
Recommendations
- AI detected serious security threats
Audit Metadata