json-yaml
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The shell scripts
convert.sh,format.sh,query.sh, andvalidate.shall use heredocs (python3 << PYEOF) to execute Python code while directly interpolating shell variables like$FILE,$OUT, and$QUERYinto the script body without escaping or validation. An attacker can provide a value containing a double quote (e.g.,\"; import os; os.system('id'); #) to break out of the Python string literal and execute arbitrary Python code. - [COMMAND_EXECUTION]: The utility scripts generate and execute dynamic Python code at runtime based on unvalidated shell inputs, creating a high-risk execution path within the tool context.
- [DATA_EXFILTRATION]: Due to the command injection vulnerability, an attacker can read sensitive files from the local file system (e.g.,
~/.ssh/id_rsa,.env) and potentially exfiltrate their content if the environment allows network access. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted structured data from external files.
- Ingestion points: The scripts
convert.sh,format.sh,query.sh, andvalidate.shread input data from files specified via the$FILEparameter. - Boundary markers: None. Output is printed directly to stdout without delimiters or 'ignore instructions' markers.
- Capability inventory: The skill possesses file read/write capabilities and arbitrary code execution via the interpolation vulnerability.
- Sanitization: None. The scripts perform no escaping or validation of file contents or query parameters before they are processed by the Python logic or interpolated into commands.
Recommendations
- AI detected serious security threats
Audit Metadata