doc-sys-fixer
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because its logic is driven by the contents of Audit and Review reports which act as untrusted input influencing file system operations.
- Ingestion points: The skill parses
SYS-NN.A_audit_report_vNNN.mdandSYS-NN.R_review_report_vNNN.md(e.g., in Phase 6) to identify issues and apply automated fixes. - Boundary markers: There are no defined boundary markers or instructions within the skill to distinguish between legitimate report findings and potentially malicious instructions embedded in those reports.
- Capability inventory: The skill has extensive file system capabilities, including creating directories (
os.makedirs), moving files (shutil.move), and writing file content (Path.write_text). - Sanitization: While regex is used to validate filename patterns (e.g.,
r'SYS-(\d+)_([^/]+)\.md'), there is limited validation on the content being written back to the documents during the fix phases. - [COMMAND_EXECUTION]: The skill documentation describes the use of shell commands to perform file integrity checks and fix hash placeholders.
- Evidence: Phase 6 (Hash Validation Fixes) references the command
sha256sum <upstream_file_path> | cut -d' ' -f1. If the<upstream_file_path>is extracted from a report influenced by an attacker and passed to a shell environment without strict sanitization, it could be exploited for command injection.
Audit Metadata