tot-spec
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The code generator implementation in
references/rpc.mdis vulnerable to injection attacks due to unsafe interpolation of user-controlled data into source code templates.\n - Ingestion points: The tool reads untrusted YAML specification files from user-defined folders to define data structures and RPC methods.\n
- Boundary markers: No boundary markers or 'ignore' instructions are present to prevent embedded instructions in the YAML from influencing the generator.\n
- Capability inventory: The generator uses
std::fs::read_to_stringandstd::fs::writeto read inputs and generate executable code files, posing a risk if the output is compiled or executed.\n - Sanitization: None identified. The
generate_handlersfunction inreferences/rpc.mddirectly formats YAML fields likemethod.requestandmethod.responseinto Rust trait definitions usingformat!, allowing an attacker to inject arbitrary Rust logic by crafting malicious YAML values.\n- [External Downloads] (LOW): TheSKILL.mdinstructions recommend installingtot_spec_cliusingcargo install. Whilecargois a standard tool, the package itself originates from an untrusted source, which is a common vector for supply chain attacks.\n- [Command Execution] (LOW): The skill documentation includes several examples of command execution (e.g.,tot_spec -i <folder>,cargo install) which involve executing software and scripts on the local filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata