debug
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads log files (
cat $LOG_FILE) which contain outputs from the code being debugged. If the application processes untrusted data (e.g., user input, web content), an attacker can embed malicious instructions in that data. When the agent 'analyzes' the logs, it may inadvertently execute those instructions. - Ingestion points:
cat $LOG_FILEin the analysis step. - Boundary markers: None. The agent reads raw log lines.
- Capability inventory: Full shell access, file modification (
git checkout,rm), and process management (kill). - Sanitization: None provided for log content.
- Data Exposure (MEDIUM): The skill stores logs in
/tmp/debug-*.log. On many Unix-like systems,/tmpis world-readable, meaning any other user or process on the system can read the debug logs, which the skill explicitly encourages filling with 'relevant variable state' and parameters. - Command Execution (LOW): The skill relies on executing local scripts (
server.mjs,viewer.mjs,find-port.mjs) and managing processes via shell commands. While legitimate for the stated purpose, this broadens the attack surface for an agent influenced by injected instructions.
Recommendations
- AI detected serious security threats
Audit Metadata