Skills
skills/winsorllc/upgraded-carnival/sop-runner-v2/Gen Agent Trust Hub

sop-runner-v2

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses child_process.exec to run shell commands parsed directly from markdown code blocks in SOP files. This allows for the execution of arbitrary system commands.
  • [REMOTE_CODE_EXECUTION]: The logic in sop-runner.js parses and executes shell code from SOP.md files. If an attacker can influence the contents of these files (e.g., via a compromised repository or local file write), they can achieve arbitrary code execution.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input in the form of SOP variables (vars) and the SOP files themselves. These variables are injected directly into the environment of the executed shell commands.
  • Ingestion points: Reads SOP.toml and SOP.md files from the filesystem; accepts variables via CLI arguments or API calls.
  • Boundary markers: None. The shell command is executed as a raw string.
  • Capability inventory: Uses fs for file operations and child_process.exec for command execution.
  • Sanitization: No sanitization is performed on the command string before execution, and variables are merged into the environment block without validation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 05:11 AM