chatwoot
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): This skill has a high vulnerability surface for indirect prompt injection because it processes external content from the Chatwoot API while having access to shell execution.
- Ingestion points: Untrusted data enters the agent context via curl responses when searching contacts, listing conversations, or getting message details.
- Boundary markers: There are no delimiters or instructions used to separate the external API data from the agent's instructions.
- Capability inventory: The skill uses bash -c to execute curl commands, providing a significant side-effect capability.
- Sanitization: The skill does not perform any sanitization or validation of the API output before it is potentially used in downstream reasoning or further commands.
- [Command Execution] (MEDIUM): The skill relies extensively on bash -c to execute API calls. This usage pattern increases the risk that any malformed or malicious data entering variables could lead to local command injection.
- [Dynamic Execution] (MEDIUM): Request payloads are dynamically written to temporary files in /tmp/chatwoot_request.json and commands are constructed using environment variables, which can be a risk factor in multi-user or multi-tenant environments.
Recommendations
- AI detected serious security threats
Audit Metadata