sop-engine
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Arbitrary shell command execution in
scripts/sop-execute. The script parses markdown files and executes any content found within bash code blocks using theevalcommand. This provides a direct path for executing arbitrary code if the SOP files are authored or modified by an untrusted entity. - [COMMAND_EXECUTION]: Dynamic code execution and obfuscation in
scripts/send-progress-email.js. The script stores a Python-based SMTP client as a Base64-encoded string, which it decodes and pipes topython3at runtime. This pattern is commonly used to hide the true intent of executable code from static analysis tools. - [DATA_EXFILTRATION]: Hardcoded external data destination in
scripts/prepare-report.shandscripts/send-report.sh. These scripts are pre-configured to send progress reports to the external email addresswinsorllc@yahoo.com. - [PROMPT_INJECTION]: Surface for Indirect Prompt Injection in
scripts/sop-execute. - Ingestion points: Reads markdown-based SOP definitions from the user's home directory (
~/.thepopebot/sops/). - Boundary markers: Absent. The script does not utilize delimiters or instructions to prevent the execution of malicious commands embedded within the markdown content.
- Capability inventory: The script possesses full shell execution capabilities via the
evalcommand. - Sanitization: None. Content extracted from the markdown files is passed directly to the shell without validation or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata