debug
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection via its log-ingestion server (debug_server.js). By setting Access-Control-Allow-Origin to '*' without authentication, any website can send data to the logs. Since the agent reads these logs to 'fix' bugs and has high-privilege access (Bash), an attacker can execute arbitrary commands by embedding them in log messages. Evidence Chain:\n
- Ingestion point: POST /log in debug_server.js\n
- Boundary markers: Absent\n
- Capability inventory: Bash(node:*) and file-write access\n
- Sanitization: Absent\n- [COMMAND_EXECUTION] (LOW): The server script uses execSync to manage local processes by running lsof and kill. Although inputs are vetted, the use of shell execution for process management is a risk factor.\n- [COMMAND_EXECUTION] (MEDIUM): The log server exposes a path traversal vulnerability via the sessionId parameter in debug_server.js, allowing an attacker to write to or overwrite any .log file on the filesystem accessible by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata