preqstation
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The shell script
scripts/preqstation-api.shuses theevalcommand within thepreq_review_taskfunction to execute shell commands passed as arguments (test_cmd,build_cmd,lint_cmd). This allows for arbitrary command execution and is highly susceptible to shell injection if the arguments contain unsanitized input derived from external task data. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to a user-configured
PREQSTATION_API_URLusingcurlin shell scripts andfetchin the Node.js MCP server. These requests include sensitive authentication headers (Authorization: Bearer) and fetch task data that controls the agent's workflow. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as its core logic relies on fetching task details from a remote API which then dictates the agent's actions.
- Ingestion points: Task details, including titles, descriptions, and results, are fetched from the remote API via
preq_get_taskin both the shell helper and MCP server. - Boundary markers: Absent. The skill instructions do not include delimiters or warnings to ignore instructions embedded in the task data.
- Capability inventory: The agent has capabilities to execute shell commands via the
preq_review_taskhelper and perform file system and git operations as part of its implementation workflow. - Sanitization: Absent. External content from task fields is used to determine lifecycle branches and as parameters for verification commands.
Recommendations
- AI detected serious security threats
Audit Metadata