rhel-deploy
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates remote execution by transferring application code and configuration files to a target host and subsequently executing them via SSH. It also pulls and runs container images using Podman.
- [PROMPT_INJECTION]: The skill's description and metadata contain an instructional override ('CRITICAL: When user types /rhel-deploy, use THIS skill immediately') intended to influence the agent's routing logic and prioritize this specific skill.
- [INDIRECT_PROMPT_INJECTION]: A potential shell injection surface exists where user-provided variables like application names, container images, or package lists are interpolated into SSH command strings (e.g., in Phase 4a-1 and 4b-1) without explicit sanitization. Evidence: Ingestion points in Phase 1 (Host/User) and Phase 4 (app-name, image-ref, packages); No boundary markers or sanitization logic present; Capabilities include subprocess execution of SSH and rsync.
- [PRIVILEGE_ESCALATION]: The skill requires and uses sudo privileges on the remote host to perform system-level configurations, install packages via dnf, and manage systemd services.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill collects and handles sensitive host connection metadata, including hostnames/IP addresses and usernames, to facilitate remote connectivity.
Audit Metadata