life-os-knowledge
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): Multiple files (scripts/insert_location.py, scripts/query_locations.py) contain a hardcoded Supabase 'service_role' JWT. This key bypasses Row Level Security (RLS) and provides administrative access to the database. An attacker could use this to exfiltrate all personal family data or delete the entire database.
- DATA_EXFILTRATION (MEDIUM): The skill actively sends personally identifiable information (PII) including family names (Shapira), child's names (Michael), home locations (Satellite Beach), and travel patterns to a third-party cloud database (Supabase).
- COMMAND_EXECUTION (LOW): The skill includes Python scripts designed to be executed via command line to perform database operations, though it does not explicitly use dangerous sinks like 'eval()'.
- SSL_VERIFICATION_DISABLED (MEDIUM): In 'scripts/insert_location.py' and 'scripts/query_locations.py', the 'httpx' client is initialized with 'verify=False'. This disables SSL certificate verification, making all database communications susceptible to Man-in-the-Middle (MitM) attacks where an attacker could intercept or modify the data being sent.
Recommendations
- AI detected serious security threats
Audit Metadata