x-cmd-knowledge
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill's primary function is to ingest untrusted external data from sources like Wikipedia, Hacker News, and Stack Exchange. This creates a significant surface for indirect prompt injection.
- Ingestion points: Articles from
x wkp, comments fromx hn, and answers fromx seenter the agent's context. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when interpolating external data.
- Capability inventory: The agent is authorized to execute shell commands via the
xCLI, including configuration changes. - Sanitization: No sanitization or filtering of the fetched content is described, allowing malicious instructions in a Wikipedia edit or HN comment to potentially control the agent's next actions.
- COMMAND_EXECUTION (HIGH): The skill operates by giving the agent the ability to execute arbitrary subcommands through the
xCLI. If an injection attack occurs, the agent has a direct functional path to execute unintended shell commands. - EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the
x-cmdCLI to be pre-installed.x-cmd.comis not a trusted source according to the provided security guidelines, making the underlying toolset unverifiable and potentially dangerous. - DATA_EXFILTRATION (MEDIUM): The
cfgandinitsubcommands for tools likeddgoandhnallow the agent to modify API endpoints and proxy settings. A sophisticated prompt injection could trick the agent into reconfiguring these tools to send data or authentication headers to an attacker-controlled server.
Recommendations
- AI detected serious security threats
Audit Metadata