create-heartbeat
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates a template that includes a background bash execution step:
sleep $((MINUTES * 60)) && echo "HEARTBEAT: /{skill_name}". Theskill_namevariable, which is gathered from user input, is interpolated directly into this shell command. If a user or a calling agent provides a name containing shell metacharacters (e.g.,my-skill; rm -rf /), it could lead to arbitrary command execution on the local system when the generated skill is invoked. - [PROMPT_INJECTION]: The generated skills are designed to ingest and parse untrusted data from remote agents (Category 8).
- Ingestion points: Remote responses are received via
mcp__trinity__chat_with_agentin the generated skill's Step 2. - Boundary markers: The template does not define explicit boundary markers or instructions to ignore embedded commands in the remote response.
- Capability inventory: The generated skill possesses capabilities to execute bash commands (logging, timers), write to the local filesystem, and interact with other remote agents.
- Sanitization: There is no evidence of sanitization or validation of the remote agent's response before it is used to determine logical branching (
is_active,is_complete).
Audit Metadata