adk-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill requests and utilizes the
Bash(cmd:*)tool, which allows for unrestricted execution of arbitrary shell commands. While the intended use case is deployment automation and scaffolding, there are no constraints on what commands can be executed. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the context via user-provided "requirements" and "agent goals" in Step 1 of the instructions, as well as via existing code when "Refactoring" (Step 4).
- Boundary markers: No delimiters or "ignore embedded instructions" warnings are present to separate instructions from the data being processed.
- Capability inventory: The agent has full file-system access (
Read,Write,Edit) and full shell access (Bash). - Sanitization: There is no mention of sanitizing or validating user input or existing code before it influences the behavior of the
BashorWritetools. - [EXTERNAL_DOWNLOADS] (LOW): The skill references Google Cloud documentation (cloud.google.com). This is a known trusted source and is used for reference only, not for direct code execution.
Recommendations
- AI detected serious security threats
Audit Metadata