error-recovery
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).\n
- Ingestion points: It reads external content from
error-log.txt, command outputs, and stack traces.\n - Boundary markers: There are no delimiters or 'ignore' instructions wrapping the untrusted error data.\n
- Capability inventory: The skill can execute
git reset --hard,rm -rf, and./scripts/init.sh.\n - Sanitization: No sanitization is performed on error content before it is processed or posted to GitHub via
gh issue comment. An attacker could craft a 'failure' containing instructions to influence the agent's next steps.\n- COMMAND_EXECUTION (HIGH): The skill executes potentially destructive commands and local scripts.\n - Evidence: The use of
git reset --hardandrm -rf node_modulescan be used to cause data loss or remove security controls.\n - Evidence: The execution of
./scripts/init.shduring recovery is a significant risk; if a previous step or a malicious actor modified this script before the 'failure', the agent would execute the compromised code.\n- DATA_EXFILTRATION (MEDIUM): The skill risks exposing sensitive environment data.\n - Evidence: It explicitly runs
env | grep -E "NODE|NPM|PATH"and directs the output to logs or GitHub comments. Secrets are frequently stored in environment variables, and broad grep patterns may capture them.\n- EXTERNAL_DOWNLOADS (MEDIUM): The skill executes code from external sources without version pinning.\n - Evidence: It uses
pnpm dlx madgeto fetch and run a package from the npm registry at runtime, which is susceptible to supply chain attacks.
Recommendations
- AI detected serious security threats
Audit Metadata