xiaomo-assistant-template
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill and its templates (
SKILL.md,templates/TOOLS.md) recommend installing additional components usingclawdhub install. Neither 'ClawdHub' nor the specific recommended repositories (e.g.,jdrhyne/todo-tracker) are on the list of trusted external sources. - [DATA_EXFILTRATION] (LOW): The instruction files (
templates/AGENTS.mdandtemplates/SOUL.md) explicitly acknowledge that the agent has capabilities to perform external operations such as 'sending emails' and 'sending tweets' ('发邮件、发推'). While the instructions include a 'ask first' policy, this identifies a high-risk capability surface for data exfiltration. - [COMMAND_EXECUTION] (LOW): The skill documentation includes shell commands for template management, specifically
cp -rfor directory copying and mentions ofrmvstrashfor file deletion. - [INDIRECT_PROMPT_INJECTION] (LOW): The assistant is designed to ingest multiple local files as core instructions and memory, which creates a surface for indirect injection if these files are populated with untrusted data.
- Ingestion points:
templates/USER.md,templates/MEMORY.md,templates/HEARTBEAT.md, andtemplates/TOOLS.md. - Boundary markers: Absent. The agent reads raw markdown content as truth.
- Capability inventory: File system manipulation (
cp,rm), file reading, and implied network capabilities (email, Twitter). - Sanitization: Absent. The framework relies on the LLM's internal safety filters.
Audit Metadata