amp-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes external Babashka scripts (scripts/amp_thread_loader.bb). Since the script content is not provided, its actions are unverifiable and could be malicious.
- DATA_EXFILTRATION (HIGH): The skill reads from ~/.amp/file-changes/, which contains private thread history and code diffs. Accessing this sensitive path without explicit user consent constitutes a data exposure risk.
- PROMPT_INJECTION (HIGH): The skill possesses a significant indirect prompt injection surface (Category 8). 1. Ingestion points: ~/.amp/file-changes/T-*. 2. Boundary markers: Absent. 3. Capability inventory: High-privilege command execution via bb and SQL operations via DuckDB. 4. Sanitization: Absent. Malicious instructions embedded in historical file changes could trigger unauthorized actions.
- DYNAMIC_EXECUTION (MEDIUM): The use of DuckDB for SQL queries and Babashka for script execution are dynamic patterns that could be exploited if influenced by untrusted data sources.
Recommendations
- AI detected serious security threats
Audit Metadata