tinkering
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill instructions include potentially dangerous shell commands such as 'rm -rf _experiments/{experiment-name}/' and 'mkdir -p _experiments/{experiment-name}'. Because the skill does not specify sanitization or validation for the '{experiment-name}' variable, an agent could be manipulated via path traversal (e.g., using '../../' as a name) to delete or modify production files.
- REMOTE_CODE_EXECUTION (LOW): The workflow encourages the creation, installation, and execution of experimental scripts and libraries ('npm run build', 'test_redis.py'). While this aligns with the skill's purpose of a 'technical spike,' it establishes a vector for executing untrusted code if the 'tinkering' topic is influenced by a malicious actor.
- DATA_EXFILTRATION (LOW): The skill provides instructions to copy source files into a sandbox directory ('cp src/utils/date.ts _experiments/...'). This capability can be used to move sensitive information or production code into a temporary, potentially less-secured directory structure.
- PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface where user-provided experiment names are interpolated into critical shell operations. * Ingestion points: Primary triggers in SKILL.md such as 'experiment with {name}'. * Boundary markers: Absent; there are no instructions to delimit or validate the user-provided experiment name. * Capability inventory: File system modification (mkdir, cp, rm -rf) and tool execution (npm, python) referenced throughout the documentation. * Sanitization: Absent; the skill lacks instructions for the agent to sanitize or escape user input before command execution.
Audit Metadata