tool-design
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill advocates for an architectural pattern in 'references/architectural_reduction.md' that uses a bash command execution tool (e.g., sandbox.exec(command)) as a core component. Recommending arbitrary shell access for agents is a high-risk design choice that can lead to unauthorized system actions if the agent is compromised.
- PROMPT_INJECTION (LOW): The 'File System Agent' pattern creates a surface for Indirect Prompt Injection because the agent reads untrusted files to determine its logic. 1. Ingestion points: Files in the '/data' and '/docs' directories read via 'cat' or 'grep' commands. 2. Boundary markers: Examples lack explicit delimiters to separate external data from system instructions. 3. Capability inventory: The agent is granted bash execution capabilities, allowing it to process and potentially act on instructions embedded in documentation. 4. Sanitization: No input validation or sanitization is present in the reference implementation for the shell commands.
Audit Metadata