downloads-organizer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The documentation in
README.mdandSKILL.mdsuggests running the script withsudoto resolve permission errors. Encouraging users to run file manipulation scripts with root privileges is a high-risk practice that can lead to system-wide compromise. - Persistence Mechanisms (HIGH): The
SKILL.mdfile provides instructions for setting upcronjobs to automate the execution of the organizer script. This establishes a persistent execution path on the user's system which could be exploited if the script is tampered with. - Indirect Prompt Injection (HIGH): The skill's core functionality involves processing untrusted data (filenames and metadata) from the
~/Downloadsfolder. - Ingestion points: The
organizer.pyscript ingests all filenames in the downloads directory viarglob('*')anditerdir(). - Boundary markers: None. There are no instructions or delimiters to prevent an AI agent from interpreting instructions embedded in filenames during analysis or organization tasks.
- Capability inventory: The script performs file system operations including
mkdirandshutil.moveacross the user's home directory. - Sanitization: Filenames are used directly in path construction without sanitization or validation, posing a risk of path manipulation and agent logic subversion.
- Metadata Poisoning (MEDIUM): The
SKILL.mdfile advertises several 'Integration' features (Slack, Cloud Sync, Obsidian) that are completely absent from the provided Python source code. This misleading metadata can lead users to overestimate the skill's capabilities and security features.
Recommendations
- AI detected serious security threats
Audit Metadata