golden-dataset-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection through its dataset restoration process. It ingests untrusted data from 'backend/data/golden_dataset_backup.json' and executes bulk database deletions (Chunk, Artifact, Analysis) and insertions via the 'restore --replace' logic documented in 'references/backup-restore.md'.
- Ingestion points: backend/data/golden_dataset_backup.json
- Boundary markers: Absent (no delimiters or 'ignore embedded instruction' warnings)
- Capability inventory: Full database deletion and modification capability (SQLAlchemy delete/add), and shell access via 'Bash' tool
- Sanitization: Absent (JSON content is directly mapped to SQLAlchemy model fields)
- [Dynamic Execution] (MEDIUM): The 'scripts/backup-golden-dataset.md' file uses shell expansion tokens ('!find', '!pwd', '!date') within templates to discover and disclose the file system structure. Additionally, it performs unsanitized string interpolation of the '$ARGUMENTS' variable into a Python script, creating a code injection vector if user-provided arguments are not validated.
- [Data Exposure & Exfiltration] (LOW): Automated environment discovery commands reveal the internal directory layout to the agent, facilitating path disclosure and identifying potential targets for further data access or manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata