spaces-storage
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The utility script
scripts/create-space.shis vulnerable to shell command injection. Positional arguments for the bucket name and region are interpolated directly into thes3cmdcommand without sanitization or proper shell quoting, which could allow an attacker to execute arbitrary commands if the agent passes unvalidated user input to the script. - DATA_EXFILTRATION (LOW): The skill facilitates data transfer to a non-whitelisted domain (digitaloceanspaces.com). Several code snippets default to
public-readACLs, and the providedtemplates/cors.xmlallows all origins (*), both of which significantly increase the risk of accidental data exposure. Note: The automated scanner alert forfile.coappears to be a false positive triggered by the stringfile.content_typein the integration code. - PROMPT_INJECTION (LOW): The skill implements functions for downloading and listing external objects, creating an indirect prompt injection surface.
- Ingestion points:
downloadFile(Node.js) anddownload_file(Python) functions inSKILL.mdretrieve external data into the agent context. - Boundary markers: None present; the code does not include delimiters or instructions to prevent the agent from following commands embedded in the retrieved files.
- Capability inventory: The skill provides comprehensive storage capabilities, including the ability to list, read, write, and delete objects.
- Sanitization: None; there is no validation or escaping of the content of downloaded objects before they are processed by the agent.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata