trivy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it ingests and processes untrusted data from external sources. \n * Ingestion points: Data enters the agent context via
trivy repo(external URLs),trivy image(remote registries), andtrivy fs(local filesystem files likepackage.json).\n * Boundary markers: Absent. There are no instructions or delimiters to prevent the agent from obeying natural language instructions embedded within the scan outputs or source files.\n * Capability inventory: The skill can execute subprocesses includingtrivy,jq,grep, and custom shell scripts, and can write to the filesystem usingcat > .trivyignore.\n * Sanitization: Absent. The agent directly interprets output from these tools, which may contain attacker-controlled content from repository READMEs or metadata.\n- [COMMAND_EXECUTION] (MEDIUM): The skill references and executes local shell scripts (scripts/batch_scan.shandscripts/compare_versions.sh) that are not provided in the analyzed file, making their logic unverifiable and potentially dangerous.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): Thetrivy repocommand clones and scans arbitrary remote repositories. While a core feature, this provides a direct vector for ingesting malicious content into the agent's environment.
Recommendations
- AI detected serious security threats
Audit Metadata