data-flow
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Command Execution (MEDIUM): The skill defines a processor type that executes terminal commands using shell variable interpolation, such as 'python parse.py ${input}'. This pattern is highly susceptible to command injection if input filenames or paths contain shell metacharacters and are not properly sanitized.
- Remote Code Execution (MEDIUM): The system is designed to run arbitrary local scripts as processing nodes. This allows for arbitrary code execution on the host system if an attacker can influence the scripts stored in the directory structure or the YAML configurations defining them.
- Indirect Prompt Injection (LOW): The pipeline ingests untrusted data from an 'inbox/' for semantic analysis by an LLM, creating a vulnerability surface where malicious content in processed files could influence agent behavior. Evidence Chain: 1. Ingestion points: 'inbox/' folders specified in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: run_terminal_cmd, write_file, and read_file. 4. Sanitization: None specified in the documentation.
- Metadata Poisoning (MEDIUM): The 'skill-snitch-report.md' file attempts to influence safety evaluations by providing a self-authored 'SAFE' verdict and recommending approval, which is a deceptive practice that aims to bypass independent security review.
Audit Metadata