worm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from files which is then processed by the agent. Since the agent also has file-writing capabilities, malicious content in a processed file could manipulate the agent into performing unauthorized actions. Ingestion points: 'EAT' and 'CHOMP' verbs in SKILL.md. Boundary markers: Absent; no delimiters or ignore-instructions are used. Capability inventory: 'read_file', 'write_file', 'list_dir'. Sanitization: Absent; content is normalized but not sanitized for instructions.\n- [Data Exposure & Exfiltration] (HIGH): Verbs like 'MOVE-WORM' and 'MOVE-HEAD' allow arbitrary filesystem navigation. The agent can be directed to sensitive locations (e.g., ~/.ssh) and read files into its buffer using 'EAT'. Evidence: SKILL.md movement verbs and tool permissions.\n- [Privilege Escalation] (MEDIUM): The 'Link-hopper' variant enables symlink traversal, which can be exploited to bypass directory restrictions and access files outside of the workspace. Evidence: 'Link-hopper' description in SKILL.md.\n- [Command Execution] (MEDIUM): The protocol serves as a high-level command language for file operations, increasing the complexity of safety monitoring and allowing for multi-step malicious file manipulations.
Recommendations
- AI detected serious security threats
Audit Metadata