monthly-expense-draft
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions and example configuration file encourage users to store sensitive corporate credentials (email and password) in a local plaintext configuration file (skill-config.yaml). This practice exposes credentials to any process or user with access to the local file system.
- [COMMAND_EXECUTION]: The workflow executes PowerShell commands using string-interpolated paths (e.g., Compress-Archive -Path '{대상폴더}*.jpg'). If the user-provided folder path contains shell metacharacters, it could lead to arbitrary command execution on the host machine.
- [COMMAND_EXECUTION]: The skill frequently uses the browser_run_code tool to execute arbitrary JavaScript in the browser for form automation. This provides a powerful execution primitive that increases the attack surface if the agent is compromised or processes malicious data.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
- Ingestion points: Local receipt images processed via OCR (Phase 1-3, SKILL.md).
- Boundary markers: Absent; data extracted from images is used directly without delimiters.
- Capability inventory: PowerShell shell execution, browser_run_code (JavaScript execution).
- Sanitization: Absent; the skill uses string interpolation of extracted data in both shell and browser scripts without validation or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata