morning-briefing
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it retrieves and displays content from external source files without sufficient isolation.
- Ingestion points: The
run.pyscript reads data from~/.openclaw/skill-state/daily-review/state.yaml,~/.openclaw/skill-state/long-running-task-management/state.yaml, and~/.openclaw/skill-state/task-handoff/state.yaml. - Boundary markers: No clear delimiters (such as XML tags or specific block headers) are used to separate ingested content from the briefing's structural instructions.
- Capability inventory: The briefing is designed to be sent to user messaging channels (Telegram, Slack), which could be leveraged for social engineering or unauthorized data disclosure if the ingested tasks contain malicious instructions.
- Sanitization: Content is interpolated directly into the output string in
run.pywithout any filtering or escaping of potential prompt injection payloads.
Audit Metadata