First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
9
Score
34/100
Findings (9)
Detects attempts to override or ignore previous instructions
Ignore previous instructionsRemove the injection payload from the skill definition. Text that attempts to reset agent context or override prior directives is a direct attack vector.
Likely FP if the text is in a security tutorial or research paper discussing injection techniques as examples, not in an active skill description.
Detects common jailbreak prompt patterns
DAN modeRemove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).
Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.
Detects reads of sensitive system or credential files
cat ~/.configPrevent the tool from reading environment variables and sending them to external endpoints. If env access is needed, restrict it to specific variable names via an allowlist.
Likely FP if the match is documentation about how to configure environment variables, not code that reads and transmits them.
Detects attempts to extract the system prompt
Reveal your system promptRemove directives that attempt to make the agent act autonomously without user confirmation (e.g., automatically running commands, skipping confirmation prompts).
Likely FP if the matched text is in a CI/CD tool description where automated execution is the intended behavior in a controlled environment.
Detects execution of shell script files via bash/sh command or direct invocation
./scripts/create_agent.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects cron jobs or scheduled tasks that execute commands
crontab -eValidate cron expressions and scheduled commands against an allowlist. Ensure scheduled tasks cannot be modified by untrusted input and log all cron job changes.
Likely FP if the match is a documentation reference to crontab syntax or a short mention of cron in a description of scheduling concepts.
Detects execution of shell script files via bash/sh command or direct invocation
./scripts/secure-pipeline.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
bash
./scripts/update_agent.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
./scripts/update_agent.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.