Skills
skills/screenata/soc2-policy-generator/compliance-automation/Gen Agent Trust Hub

compliance-automation

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill contains a suite of 26 shell scripts in assets/scripts/ that execute complex system commands, including cloud CLIs (aws, az, gcloud) and the GitHub CLI (gh).
  • Evidence: assets/scripts/collect-all.sh iterates through and executes all scripts in its directory using bash "$script".
  • [REMOTE_CODE_EXECUTION] (HIGH): The core functionality of the skill involves generating new shell scripts and GitHub Action workflows at runtime based on the detected environment.
  • Evidence: references/workflow-evidence.md specifies a 'test-first workflow' where the agent generates or copies scripts, asks the user to export secrets, and then executes them locally to verify performance.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's scripts make numerous outbound requests to various third-party APIs (e.g., Auth0, Datadog, Slack) to retrieve configuration and usage data.
  • Evidence: assets/scripts/auth0.sh, assets/scripts/okta.sh, and others use curl to fetch data from remote endpoints.
  • [DATA_EXFILTRATION] (MEDIUM): While the stated goal is 'evidence collection', the skill extracts potentially sensitive metadata from the codebase and cloud environment and transmits it to various SaaS providers or prepares it for commitment to a Git repository.
  • Evidence: references/scanning-patterns/access-control.md extracts password requirements, RBAC roles, and session configurations using grep across the codebase.
  • [CREDENTIALS_UNSAFE] (MEDIUM): The skill manages a large number of sensitive API tokens (e.g., OKTA_API_TOKEN, DATADOG_API_KEY) through a local .compliance/secrets.env file and environment variables.
  • Evidence: assets/scripts/collect-all.sh explicitly sources .compliance/secrets.env to provide credentials to child scripts.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection as it ingests untrusted codebase data and processes it using regex patterns to generate compliance policies.
  • Evidence Chain:
  • Ingestion points: Reads files from the entire codebase via Glob and Grep patterns specified in references/scanning-patterns/.
  • Boundary markers: None found; the agent is instructed to use extracted values directly in generated policy text without delimiters or escaping.
  • Capability inventory: File system writes, shell execution (bash), and network access via curl in generated scripts.
  • Sanitization: No formal sanitization of the extracted codebase strings before they are interpolated into the generated markdown policies.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 03:42 AM