demo-producer
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/generate.shbash script is vulnerable to command injection during its execution by the agent. It extracts metadata (names, descriptions, and workflow phases) from external files likeSKILL.mdandagent.mdand interpolates these values into unquoted shell heredocs (e.g.,<< ACTIVATION,<< TASK, and<< SCRIPT_HEADER). If the extracted metadata contains shell metacharacters such as backticks or$(...), they will be evaluated and executed by the shell during the script generation phase.\n- [DYNAMIC_EXECUTION]: The skill's core functionality involves the dynamic generation of executable bash scripts (.sh) and terminal recording configurations (.tape) at runtime. These files are constructed from data extracted from other skills, made executable viachmod +x, and subsequently run. This pattern of creating and executing scripts from non-static, potentially untrusted source data is inherently risky.\n- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted documentation content from the codebase to drive its logic.\n - Ingestion points:
scripts/generate.shreadsSKILL.md,agent.md, andplugin.jsonfrom the current project environment.\n - Boundary markers: None; the skill lacks delimiters or instructions to ignore malicious content within the files it analyzes.\n
- Capability inventory: The skill has access to the
Bashtool,TaskCreate, and performs file system operations including writing and executing scripts.\n - Sanitization: Absent; the metadata extraction logic uses simple
grepandsedpatterns without escaping or validating the content before it is used in command templates.
Audit Metadata