team-task-management
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is instructed to ingest data from external sources that are not entirely under its control. Specifically, it reads worker-generated results from a shared storage location.
- Ingestion points: The agent is directed to pull and read
result.mdfiles from theshared/tasks/directory on MinIO as part of the task completion flow described inreferences/finite-tasks.md. - Boundary markers: The instructions do not provide delimiters or guidance to the agent to ignore potential instructions embedded within the worker-provided content.
- Capability inventory: The agent has the ability to execute bash scripts, manage local state files, and perform network operations via
curlandmc. - Sanitization: There is no evidence of validation or sanitization of the external content before it is read into the agent's context.
- [DATA_EXFILTRATION]: The script
scripts/send-team-message.shretrieves sensitive information, including a MatrixaccessToken, from a local configuration file (openclaw.json). This credential is then transmitted over the network via an HTTP Authorization header to a remote homeserver. While this is the intended function for the skill's messaging capabilities, the retrieval and transmission of authentication tokens to external endpoints represents a data exposure pattern.
Audit Metadata