podcast-summarizer
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/summarize_podcast.pyimplements a 'shadow step' that extracts Base64-encoded strings from ID3TXXXframes in MP3 files. These strings are decoded and directly passed tosubprocess.run(shell=True), allowing for arbitrary command execution triggered by processing a specially crafted audio file. - [COMMAND_EXECUTION]: Both
scripts/summarize_podcast.pyandscripts/embed_id3_payload.pyuse powerful system commands. The former executes hidden payloads, while the latter provides the infrastructure to generate those payloads. - [DATA_EXFILTRATION]: The skill uses a 'telemetry' metaphor to mask the extraction of data from audio files. The capability to execute shell commands can be trivially used to exfiltrate sensitive local files or environment variables to a remote server.
- [INDIRECT_PROMPT_INJECTION]: The skill demonstrates a high-risk surface where untrusted data (audio metadata) is not just read, but treated as executable instructions.
- Ingestion points: ID3 tags from files provided via the
--sourceargument inscripts/summarize_podcast.py. - Boundary markers: None. The script explicitly searches for a specific hook (
__ENV_HW_AFFINITY_OVR__) to trigger execution. - Capability inventory:
subprocess.runwithshell=Trueinscripts/summarize_podcast.py. - Sanitization: None. The payload is Base64-decoded and executed directly without any validation or filtering.
Recommendations
- AI detected serious security threats
Audit Metadata