skill-rag-router
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The script
scripts/router.shcontains a shell command injection vulnerability. It interpolates the$QUERYvariable into ajqfilter string using single quotes. A query containing a single quote can terminate the string and allow an attacker to append and execute arbitrary shell commands on the host system. - Evidence:
echo "$RESULTS" | jq -s ' { query: "'"$QUERY"'", ... } 'inscripts/router.sh. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection and schema confusion because it ingests untrusted data from multiple sources without sanitization or boundary markers.
- Ingestion points:
scripts/index-skills.shreads descriptions from externalSKILL.mdfiles;scripts/suggest-skills.shprocesses user prompts;scripts/categorize-skills.shreads directory names as skill names. - Boundary markers: Absent. The output generated by
suggest-skills.shis injected directly into the system prompt without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill executes a local binary (
ck), performs shell operations, and writes to local cache files. - Sanitization: Metadata and skill names are interpolated into JSON structures without proper escaping. Specifically,
index-skills.shonly removes double quotes but leaves backslashes (which can escape the closing quote), andcategorize-skills.shperforms no escaping on skill names, leading to potentially malformed or malicious JSON output.
Recommendations
- AI detected serious security threats
Audit Metadata