node-debugging
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions specify connecting to arbitrary host processes by PID and interacting with Docker containers, specifically recommending the mounting of the Docker daemon socket (/var/run/docker.sock). This provides the agent with a path to host-level privilege escalation and container escape.
- [DATA_EXFILTRATION]: The debugging capabilities, including tracepoints and exceptionpoints, allow for the capture of local variables, call stacks, and expressions from running backend processes. This could be used to harvest sensitive information such as environment variables, API keys, or user data directly from memory.
- [REMOTE_CODE_EXECUTION]: The skill utilizes an execute tool that permits the dynamic execution of JavaScript code within the context of the connected Node.js backend. This allows the agent to modify application state or execute arbitrary logic on the target server.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of external process data. Evidence: 1. Ingestion points: debug_get-probe-snapshots (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: debug_connect, execute, debug_put-tracepoint (SKILL.md). 4. Sanitization: Absent. An attacker controlling a process's output or state could attempt to influence the agent's behavior when it retrieves snapshots.
Audit Metadata