technical-blog-writing
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests broad execution permissions via
allowed-tools: Bash(infsh *). This grants the agent the ability to execute any command or application available through theinfshCLI, which serves as an interface to various remote services and local utilities. - [REMOTE_CODE_EXECUTION]: The skill employs the
infsh/python-executortool to run Python code for generating benchmark charts. This involves generating and executing scripts at runtime, which is a form of dynamic execution. While the provided example is benign, the underlying capability allows for arbitrary code execution within the executor's environment. - [PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection by design, as it ingests and processes untrusted data from external sources.
- Ingestion points: Search query results from the
exa/searchtool are used to research and write technical content. - Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between the skill's instructions and potentially malicious content found in search results.
- Capability inventory: The skill can execute subprocesses through
infsh, run dynamic Python code, and post content to social media viax/post-create. - Sanitization: There is no evidence of filtering or sanitizing the data retrieved from external tools before it is processed by the agent.
Audit Metadata