case-feedback-skill
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the Bash tool to execute a bundled Node.js script (
scripts/submit-feedback.mjs). The command-line pattern provided inSKILL.mdinvolves direct interpolation of untrusted user feedback and conversation context into a shell string (e.g.,--feedback "..."). This represents a command injection surface if the interpolated text contains unescaped double quotes or shell metacharacters. - [DATA_EXFILTRATION]: The skill captures the full conversation history ("context") and user feedback to send it to external endpoints (
api.z.aiorbigmodel.cn) via HTTPS POST requests. This data transmission is the primary purpose of the skill and targets the vendor's own infrastructure or a well-known AI platform service. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from the conversation history.
- Ingestion points: Untrusted data enters the agent context through the conversation history and user-provided feedback text referenced in
SKILL.md. - Boundary markers: The prompt does not specify any delimiters or safety instructions to prevent the agent from obeying instructions embedded within the feedback or history data.
- Capability inventory: The skill has the capability to execute shell commands via the Bash tool and make outbound network requests via the
httpsmodule in the bundled script. - Sanitization: There is no explicit sanitization or escaping of the user-provided data before it is interpolated into the shell command arguments or the JSON payload.
Audit Metadata