Deferring Task Execution
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Potential command injection in
SKILL.md. The instruction in Step 2 to runwait-until.sh <argument>where<argument>is a value parsed from natural language creates a shell injection vector. If an attacker provides an input like5m; malicious_command, and the agent does not strictly sanitize it before shell invocation, the secondary command will execute with the agent's privileges. - [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection (Category 8). 1. Ingestion points: Natural language input from users used as parameters for script execution. 2. Boundary markers: Absent; there are no instructions to the agent on how to delimit or sanitize the user-provided duration/time string. 3. Capability inventory: The skill uses the
Bashtool, which provides full system command execution capability. 4. Sanitization: While thewait-until.shscript performs its own regex validation, the vulnerability exists at the shell construction layer before the script is even executed. - [DATA_EXPOSURE] (LOW): If a command injection is successful, an attacker could use the
Bashcapability to access sensitive files, environment variables, or local credentials.
Recommendations
- AI detected serious security threats
Audit Metadata