move-a-file
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: In Step 3, the agent is explicitly instructed to "Read the file to understand the context" for every file containing a reference (e.g., source code, documentation, config).
- Boundary markers: There are no boundary markers or instructions to treat file content as data rather than instructions.
- Capability inventory: The agent possesses filesystem modification capabilities (
git mv,mkdir) and source code modification capabilities (Edittool). - Sanitization: None. An attacker could place instructions inside a README or code comment that the agent might execute while 'reviewing context'.
- [DATA_EXFILTRATION] (MEDIUM): The skill enables Sensitive File Exposure (Category 2).
- It allows moving any file relative to the project root without a blocklist.
- An agent could be directed to move sensitive files (e.g.,
.env,.ssh/id_rsa,.aws/credentials) into public or staging directories, leading to accidental exposure or exfiltration during deployment. - [COMMAND_EXECUTION] (LOW): The skill utilizes shell commands (
rg,grep,git mv,mkdir,ls) to perform its tasks. While these are standard tools, when combined with the lack of input sanitization and the ingestion of untrusted file content, they provide the necessary primitives for the higher-severity risks identified.
Recommendations
- AI detected serious security threats
Audit Metadata