context-store
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The doc-push command reads arbitrary local files and transmits them to a server specified by environment variables. This creates a data exfiltration vector if an agent is manipulated into uploading sensitive system or credential files to an external host.
- [EXTERNAL_DOWNLOADS]: The doc-pull command and the associated DocumentClient in commands/lib/client.py trust the filename provided by the server in the Content-Disposition header without sanitization. This enables directory traversal attacks where a malicious server can return a path like ../../.bashrc to overwrite sensitive files on the user's system during a download operation.
- [PROMPT_INJECTION]: The doc-read command facilitates indirect prompt injection. 1. Ingestion point: commands/doc-read outputs raw, unsanitized text from the server directly to the agent's context via stdout. 2. Boundary markers: Absent; the retrieved content is not wrapped in delimiters or accompanied by instructions to ignore embedded commands. 3. Capability inventory: The skill possesses high-privilege capabilities including reading and writing local files and managing remote document states. 4. Sanitization: Absent; document content is decoded as UTF-8 and printed without filtering or validation.
Audit Metadata