Skills
skills/acnlabs/openpersona/create-anyone/Gen Agent Trust Hub

create-anyone

Warn

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: Accesses highly sensitive communication data, specifically iMessage databases located at ~/Library/Messages/chat.db and WeChat databases. This constitutes significant data exposure of private message history.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to execute the openpersona package, which involves downloading and executing external code from the npm registry at runtime.
  • [COMMAND_EXECUTION]: Utilizes the Bash tool to execute external CLI commands (npx openpersona) and multiple local utility scripts (preprocess.py, skill_writer.py, version_manager.py) to manage persona data and snapshots.
  • [PROMPT_INJECTION]: Ingests large amounts of untrusted external data from chat exports (WhatsApp, Telegram, Slack, etc.) and web searches, creating a surface for indirect prompt injection.
  • [PROMPT_INJECTION]: Evidence for Category 8 (Indirect Prompt Injection):
  • Ingestion points: Reads files via Read tool and preprocess.py, and gathers content via WebSearch (SKILL.md).
  • Boundary markers: Instructions mention redacting PII and using 'Inspired-by mode,' but do not include strict prompt delimiters for all ingested content.
  • Capability inventory: Possesses Bash, Write, Edit, and WebSearch capabilities across its scripts and instruction files.
  • Sanitization: preprocess.py performs basic regex-based HTML tag removal on generic file loads.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 13, 2026, 01:24 AM