halo-search
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to construct and execute
curlcommands in a shell environment using user-provided variables{baseUrl},{keyword}, and{metadataName}. These variables are interpolated directly into the command string without any validation or sanitization. This pattern allows an attacker to inject shell metacharacters (e.g., semicolons, pipes, or backticks) to execute arbitrary system commands on the host machine. - [PROMPT_INJECTION]: The skill retrieves post titles, descriptions, and full content from external Halo CMS instances and presents this data to the user. Ingestion points: Untrusted content is ingested from
{baseUrl}/apis/api.halo.run/v1alpha1/indices/-/searchand{baseUrl}/apis/api.content.halo.run/v1alpha1/posts/{name}. Boundary markers: No delimiters or safety instructions are used to separate the external content from the agent's internal logic. Capability inventory: The agent has access to a shell tool to execute network and data processing commands. Sanitization: The skill does not perform any escaping or filtering of the fetched HTML or raw content before presenting it, enabling an indirect prompt injection attack where malicious instructions in a CMS post could manipulate the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata