qiita
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
urlencodefunction inscripts/qiita.shis vulnerable to command injection. It usespython3 -cto execute a string that interpolates a shell variable inside triple single quotes:python3 -c "... quote('''$string''', ...)". An attacker-controlled search query or content can break out of the Python string literal using'''to execute arbitrary Python code on the host system. - [DATA_EXFILTRATION]: The
item postanditem updatecommands inscripts/qiita.shsupport a--body-fileparameter that usescatto read the contents of a file provided as an argument. This allows for the unauthorized reading of sensitive local files (e.g.,~/.ssh/id_rsa,.env) if the agent is manipulated into passing a sensitive path to this parameter. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes technical articles and comments from Qiita (an external, untrusted source) without using boundary markers or sanitization.
- Ingestion points: Article search, article retrieval, and comment listing functions in
scripts/qiita.shingest untrusted content from the Qiita API. - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the skill's prompts or processing logic.
- Capability inventory: The skill has capabilities for network access (via
curl), arbitrary file reading (viacatinscripts/qiita.sh), and dynamic code execution (viapython3 -c). - Sanitization: There is no evidence of HTML stripping, Markdown sanitization, or instruction filtering for retrieved article content.
Recommendations
- AI detected serious security threats
Audit Metadata