filesystem
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface because it reads external content and has write capabilities. • Ingestion points:
fs.readFileandfs.globingest untrusted data from the filesystem. • Boundary markers: None specified in the skill definition to differentiate between file content and instructions. • Capability inventory:fs.writeFileandfs.applyPatchallow for permanent modification of the environment. • Sanitization: Absent. An attacker could place instructions inside a file that, when read, cause the agent to execute unauthorized file writes or exfiltration. - Data Exposure & Command Execution (MEDIUM): While restricted to the workspace,
fs.readFilecan be used to access sensitive project data (e.g., .env files, git configs). Thefs.writeFileandfs.applyPatchcommands provide the primitives needed to modify application logic or inject malicious scripts into the project structure.
Recommendations
- AI detected serious security threats
Audit Metadata