systematic-debugging
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) by mandating that the agent read and analyze external, potentially attacker-controlled content like error messages and stack traces (SKILL.md, Phase 1). 1. Ingestion points: Error messages, diagnostic logs, and stack traces. 2. Boundary markers: Absent; no instructions are provided to delimit data from instructions or ignore embedded commands. 3. Capability inventory: find-polluter.sh (executes npm test) and SKILL.md (example bash commands for data flow tracing and instrumentation). 4. Sanitization: Absent; the agent is not instructed to sanitize or escape data before interpolation or action.
- [COMMAND_EXECUTION] (MEDIUM): The skill includes find-polluter.sh, a bisection script that executes npm test on local files matching a user-defined pattern. This provides a direct mechanism for arbitrary local code execution if malicious files are present in the workspace.
- [CREDENTIALS_UNSAFE] (MEDIUM): Instrumentation examples in SKILL.md (Phase 1, Step 4) demonstrate accessing environment secrets (IDENTITY) and keychain identities (security find-identity). These patterns encourage the exposure of sensitive credentials during automated debugging sessions without proper masking.
Recommendations
- AI detected serious security threats
Audit Metadata