onboardme
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from multiple repository files to drive its game logic.
- Ingestion points:
package.json,README.md,.env.example,docker-compose.yml, and source code entry points are read during the preparation phase as described ininstructions/prepare-game.md. - Boundary markers: None. The instructions do not define delimiters or provide warnings to ignore embedded instructions within the project files, making the agent susceptible to instructions hidden in documentation or manifests.
- Capability inventory: The skill executes local
nodescripts (state-manager.cjs,knowledge-manager.cjs), creates directories (mkdir), and performs git operations (git checkout,git branch -D). - Sanitization: None. There is no instruction to escape or validate the content extracted from the repository before using it in logic or command construction.
- [Command Execution] (HIGH): The skill is susceptible to shell injection by interpolating repository-controlled strings directly into bash commands.
- Evidence: In
instructions/prepare-game.md(Steps 4 and 5), the agent is directed to runnode <manager> write '<JSON>'using a JSON string that contains data extracted from the repository (e.g., project name, git username). - Risk: An attacker could craft a project name in
package.jsoncontaining shell metacharacters (e.g.,"; touch /tmp/pwned; ") which would be executed by the shell when the agent attempts to save the game state.
Recommendations
- AI detected serious security threats
Audit Metadata