filesystem
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODECOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. 1. Ingestion points: The
search --contentcommand reads raw data from files. 2. Boundary markers: Absent in documentation and configuration. 3. Capability inventory: The skill possessesread-writefilesystem permissions as specified inpackage.json. 4. Sanitization: Documentation claims path validation, but this is unverifiable without the source code. An attacker could place malicious instructions in a file that the agent reads, potentially causing the agent to delete or exfiltrate other data. - [NO_CODE] (HIGH): The core executable file
./filesystemdefined inpackage.jsonis missing. All safety claims (Path Validation, Protected Paths) are documentation-only and cannot be verified against actual implementation. - [COMMAND_EXECUTION] (MEDIUM): The skill performs destructive batch operations like
copyandoverwrite. While it includes adry-runmode, the inherent capability to modify the filesystem in bulk presents a significant risk if the agent is misled by injected instructions.
Recommendations
- AI detected serious security threats
Audit Metadata