env-helper
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script
plugins/env-helper/scripts/env_helper.pyand recommends using subshell execution ($(python3 ...)) to resolve ecosystem constants. It also invokes thelscommand to inspect local directory contents for configuration files. - [DATA_EXFILTRATION]: The skill is designed to access and retrieve highly sensitive data, specifically HuggingFace API tokens (
HF_TOKEN) and environment configuration from.envfiles. Accessing these paths is considered a sensitive operation, although the skill includes explicit negative constraints intended to prevent the agent from outputting these values to the user chat. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it ingests untrusted data from environment files to determine system constants.
- Ingestion points: The skill reads
.envfiles at the root of the workspace using both theenv_helper.pyscript and thels -la .envcommand. - Boundary markers: The
SKILL.mdfile includes a 'Token Leakage' negative instruction constraint to prevent the agent from repeating tokens in the chat window. - Capability inventory: The skill has the capability to execute subprocesses (
python3,ls) and read/write local files as described in the fallback procedures. - Sanitization: There is no evidence provided that the content of the
.envfile is sanitized or validated before being processed by the agent or the helper script.
Audit Metadata