Skills
skills/polarsource/polar/add-locale/Gen Agent Trust Hub

add-locale

Warn

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's instructions for the Bash tool interpolate user-provided ${isoAlpha2} directly into commands like git checkout -b add-locale-${isoAlpha2} and git commit -m "Register ${isoAlpha2}". This creates a command injection vulnerability where a user could provide input containing shell metacharacters (e.g., ;, &, |) to execute arbitrary commands on the system.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted user input for locale settings without sanitization. Ingestion points: User-provided ${isoAlpha2} and ${localeName} variables referenced in SKILL.md. Boundary markers: Absent; the skill does not wrap these variables in delimiters or warn the agent to validate the input format. Capability inventory: Use of Bash for git operations and project scripts, and Edit/Write tools for modifying source code. Sanitization: Absent; there is no logic to verify that ${isoAlpha2} conforms to ISO standards or is a safe string before being used in execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 22, 2026, 04:48 AM