rust-learner
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from external sources (e.g., docs.rs, lib.rs) and local agent definitions (../../agents/*.md). Ingestion points: SKILL.md (via Read and agent-browser). Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded instructions in fetched documentation. Capability inventory: Bash (via agent-browser), Task (subagent spawning), Read, and Glob. Sanitization: Absent; data fetched from external sites is processed and formatted directly into the agent context.
- [Dynamic Execution] (HIGH): In 'Agent Mode', the skill uses the Read tool to load prompt content from files at '../../agents/*.md' and executes them via the Task tool. This runtime loading of instructions from relative paths outside the skill's own directory allows for non-deterministic behavior and potential execution of malicious instructions placed in those locations by other processes or compromised dependencies.
- [Command Execution] (MEDIUM): The skill constructs Bash commands for the agent-browser CLI using variables derived from user input (e.g., crate names). While base URLs are defined, the reliance on shell execution for web browsing creates a risk if input sanitization is bypassed or if the CLI tool itself interprets certain strings as commands.
- [Data Exposure] (LOW): The use of the Read tool with a directory traversal pattern (../../agents/) allows the skill to access files outside its package root. Although restricted to markdown files in this instance, it violates the principle of path isolation.
Recommendations
- AI detected serious security threats
Audit Metadata