@554/work-migration
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands (
cp,zip,7z,rm) in Phase 4 and Phase 3.5 using dynamic strings derived from project names, file paths, and user-provided passwords. The lack of explicit sanitization for these variables (e.g.,[name],[identified-files],USER_PASSWORD) presents a high risk of arbitrary command injection if an attacker can influence project metadata or provide a malicious password string. - [DATA_EXFILTRATION]: The skill is explicitly designed to aggregate and export comprehensive workspace data. This includes source code, environment variables, memory topics, scheduled tasks, and user preferences. While intended for migration, this capability could be exploited to exfiltrate a complete snapshot of an agent's environment.
- [CREDENTIALS_UNSAFE]: The workflow in Phase 3.5 offers the user a functional path to include actual values from
.envfiles (e.g.,OPENAI_API_KEY,POSTGRES_URL) in the exported archive. Although it recommends redaction and prompts for consent, it facilitates the movement of plaintext secrets into a portable ZIP file. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its data-processing workflow.
- Ingestion points: The skill reads all files within the project scope, environment variables, and memory topics during Phase 2 Discovery (SKILL.md).
- Boundary markers: None identified; the skill does not use delimiters or instructions to ignore embedded commands in the files it processes.
- Capability inventory: The skill can execute shell commands (
cp,zip,rm) and write files to the workspace (SKILL.md Phase 4). - Sanitization: No sanitization or escaping of file content or file names is performed before they are processed by shell utilities.
Audit Metadata