aptos-society
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Persistence Mechanisms] (HIGH): The skill instructs the agent to modify
~/.ruler/AGENTS.mdin the user's home directory. Modifying hidden configuration files to enforce the 'Triadic Skill Forcing' protocol is a persistence mechanism that overrides the agent's default behavior across sessions. - [Command Execution] (MEDIUM): The Babashka (Clojure) integration code explicitly imports
babashka.process :refer [shell]. While the provided snippet only constructs strings, providing the capability to execute shell commands within the skill context is a significant security risk. - [Prompt Injection] (MEDIUM): The 'Triadic Skill Forcing' and 'Ruler Enforcement' sections define mandatory operational rules (e.g., 'Every interaction MUST load exactly 3 skills') that attempt to override the agent's native logic and safety steering.
- [Indirect Prompt Injection] (HIGH):
- Ingestion points: Segment letters (A-Z) used to construct tool names.
- Boundary markers: None. The skill uses raw string interpolation to build tool paths.
- Capability inventory: Includes
aptos_transferandaptos_swapwhich facilitate financial transactions. - Sanitization: None. The logic relies on a 'Derangement Protocol' for seeds, but the tool invocation surface is wide and lacks input validation, allowing potentially malicious segment selection to trigger unintended tool calls.
Recommendations
- AI detected serious security threats
Audit Metadata