debug-expert
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to perform operations that lead to the exposure of secrets. Specifically, in the 'Environment Differences' section, it suggests running
diff <(env | sort) <(ssh prod 'env | sort')anddiff local.env prod.env. Executing these commands forces the agent to read and likely display the entire environment configuration (including API keys, tokens, and DB credentials) in the session logs. - [COMMAND_EXECUTION]: The skill relies heavily on the agent's ability to execute shell commands for system inspection and debugging. Commands mentioned include
ps aux,lsof,journalctl,docker logs,curl, andgit bisect. - [DATA_EXFILTRATION]: The instruction to SSH into a production environment and dump environment variables (
ssh prod 'env | sort') constitutes a pattern where sensitive remote configuration data is pulled into the local or agent context, where it may be further processed or exposed. - [PROMPT_INJECTION]: The skill is designed to ingest and analyze untrusted external data, such as error logs, stack traces, and console outputs, making it vulnerable to indirect prompt injection.
- Ingestion points: The 'Problem Understanding' phase (SKILL.md) and 'Log Analysis' section (references/root-cause-analysis.md) ingest logs and command outputs.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing ingested data.
- Capability inventory: The agent has access to shell execution, file system operations, and network connectivity (via SSH and curl).
- Sanitization: There is no evidence of filtering, escaping, or validating the ingested content before it is processed by the agent.
Audit Metadata