charmkeeperration-tests
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill references and encourages fetching configuration files and templates from several
raw.githubusercontent.comURLs under thecanonicalorganization. Sincecanonicalis not in the explicitly trusted GitHub Organizations list, these are classified as unverifiable external downloads. - COMMAND_EXECUTION (MEDIUM): The skill executes
scripts/create-charmkeeper-vm.sh, which performs significant system-level operations includingmultipass launch,snap install, andjuju bootstrap. These commands can significantly alter the host or VM environment. - PRIVILEGE_ESCALATION (MEDIUM): The script
scripts/create-charmkeeper-vm.shusessudowithin the virtual machine to install snaps with classic confinement and prepare the k8s environment. Although restricted to the VM, it represents high-privilege operation patterns. - INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process code from a repository (integration tests) and external templates. It possesses command execution capabilities (
tox,multipass exec), which creates an attack surface for indirect instructions in the processed data. - Ingestion points: External template URLs listed in
SKILL.mdand repository test files. - Boundary markers: None (instructions do not specify delimiters for untrusted code blocks).
- Capability inventory: Subprocess calls for
multipass,snap,juju, andtoxinscripts/create-charmkeeper-vm.shandSKILL.md. - Sanitization: No sanitization or validation of repository content or external templates before execution.
Audit Metadata