permissions-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill uses web search tools (Perplexity, Brave) to research unknown CLI tools and then processes those results to determine security permissions. 1. Ingestion points: mcp__perplexity-ask__perplexity_ask, mcp__brave-search__brave_web_search, and WebSearch. 2. Boundary markers: No delimiters or instructions to ignore embedded commands are specified for processing search results. 3. Capability inventory: Bash, Write, Edit, and script execution capabilities. 4. Sanitization: No semantic validation or filtering of untrusted external content is performed before applying configuration changes.
- [COMMAND_EXECUTION] (HIGH): The skill manages agent permissions and executes local Python scripts (detect_project.py, apply_permissions.py) via Bash. This functionality provides a mechanism for privilege escalation if the classification logic or the research data obtained from external sources is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata