wilma-triage
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill requires installing
wilmaandgogtools fromClawHub(clawhub install wilma,clawhub install gog). ClawHub is not a recognized trusted source (e.g., official GitHub organizations), which poses a risk of installing untrusted binaries on the host system. - Indirect Prompt Injection (LOW): The skill processes untrusted external data which could influence agent behavior.
- Ingestion points: Fetches and reads message content and news via
wilma messages readandwilma news read(SKILL.md). - Boundary markers: Absent; the instructions do not implement delimiters to distinguish between system instructions and content from school administrators.
- Capability inventory: Executes shell commands via the
wilmaandgogCLI tools to retrieve data and modify Google Calendar events (SKILL.md). - Sanitization: No evidence of sanitization, filtering, or instruction-ignoring wrappers for the ingested message content.
- Command Execution (LOW): The skill's primary workflow relies on executing shell commands. While necessary for the stated purpose, this interaction with the operating system should be monitored for unexpected command interpolation.
Audit Metadata