context-pack
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Path Traversal Vulnerability. The
scripts/unpack.shscript is vulnerable to path traversal because it parses file paths from markdown headers and uses them directly in file system operations without validation. A malicious context pack can use directory traversal sequences like../to write or overwrite files outside the intended destination, such as system configuration files or SSH keys. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill aggregates content from arbitrary files into a single context window for an LLM.
- Ingestion points: Files are read from the local filesystem or extracted from ZIP archives in
scripts/pack.sh. - Boundary markers: Content is delimited by markdown headers and triple backticks, but no instructions are provided to the agent to ignore embedded commands.
- Capability inventory: The skill has the capability to write files and access the system clipboard.
- Sanitization: No sanitization or escaping of the packed file content is performed.
- [COMMAND_EXECUTION]: Deceptive Documentation. The skill documentation describes advanced features such as an interactive TUI and a web UI (
scripts/pack-web.sh) that are not implemented in the provided shell scripts. This can lead to confusion and represents a failure to provide the promised functionality.
Recommendations
- AI detected serious security threats
Audit Metadata