code-refactoring
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Persistence Mechanism] (HIGH): The skill includes an auto-start mechanism (
auto-start-watcher.jsandauto-start-watcher.sh) specifically designed to be triggered by the agent'sSessionStarthook. This ensures background code execution occurs automatically whenever the agent is initialized. - [Indirect Prompt Injection] (HIGH): The skill monitors user-controlled files and generates alerts in
watcher-alerts.json. The instructions inslashes-commands/start-watcher.mdmandate that the agent must read and display these alerts 'BEFORE responding to ANY user message'. This creates a high-risk injection surface where a maliciously named file could inject instructions that the agent executes during its automated pre-response check. - [Prompt Injection] (HIGH): The instruction in
slashes-commands/start-watcher.md('IMPORTANT - Ongoing Alert Monitoring: From now on, BEFORE responding to ANY user message, check for new alerts') is a behavioral override that attempts to hijack the agent's standard interaction loop.
- [Command Execution] (MEDIUM): The skill utilizes several scripts (
start-watcher.sh,stop-watcher.sh,auto-start-watcher.js) that employspawn,execSync, andnohupto manage background tasks. While these are used for the stated purpose of file monitoring, the use of shell scripts to manage PIDs and kill processes provides a powerful primitive for local execution.
Recommendations
- AI detected serious security threats
Audit Metadata