workspace-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill is designed to manage and store sensitive API tokens (
github_token,jira_token) in plain text within~/.brn/config.yaml. It lacks any integration with secure storage mechanisms like OS keychains or encrypted vaults. - DATA_EXFILTRATION (HIGH): The script
scripts/get_active_workspace.shincludes a--jsonflag that outputs the entire configuration of the active workspace, including the plain-text tokens. This creates a direct path for an AI agent to inadvertently leak credentials into its conversation context or pass them to other external tools. - COMMAND_EXECUTION (MEDIUM): Scripts such as
configure_workspace.shandcreate_workspace.shuse theyqtool with shell-interpolated variables ($WORKSPACE_NAME,$VALUE). While these are double-quoted, the lack of strict validation on the values allows foryqexpression injection, which could be used to manipulate or disclose other parts of the filesystem configuration. - INDIRECT PROMPT INJECTION (MEDIUM): (Category 8 Analysis)
- Ingestion points: The skill reads and acts upon the contents of
~/.brn/config.yamlin all script operations. - Boundary markers: None present; data from the config file is treated as trusted parameters for shell operations.
- Capability inventory: The skill can create directories (
mkdir -p), create/overwrite files (cat >), and modify YAML configurations (yq -i). - Sanitization: Validation is limited to a whitelist of keys in
configure_workspace.sh, but no sanitization is performed on workspace names or property values, allowing for schema confusion or malicious configuration injection.
Recommendations
- AI detected serious security threats
Audit Metadata