michael-d1-recruiting-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill contains extensive PII (Personally Identifiable Information) including full name, exact date of birth, school name, and specific swimming IDs. While intended for a personal agent, including this in a skill file exposes it to any LLM processing the skill.
- [Indirect Prompt Injection] (HIGH): This skill has a high vulnerability surface for indirect prompt injection.
- Ingestion points: Processes external data from SwimCloud profiles (competitor IDs) and local data at
/life-os/michael_d1_agents_v3/data/. - Boundary markers: Absent. There are no instructions to the agent to treat external athlete bios or meet descriptions as untrusted data.
- Capability inventory: The skill is designed to draft outreach emails (side effects/communication) and insert data into a Supabase database (
supabase.table('activities').insert). - Sanitization: Absent. Data from external IDs is used to 'Compare to Michael's times' and generate 'Coach outreach' content without escaping or validation.
- [Dynamic Execution] (MEDIUM): The skill provides Python code snippets for logic execution (e.g., iterating through rivals, database insertion). If the agent executes this code using internal tools, it represents a risk where logic is defined in the prompt rather than a secured module.
- [Data Exposure] (MEDIUM): The skill references a specific, hardcoded local directory path:
/life-os/michael_d1_agents_v3/data/. This provides an attacker with knowledge of the local file system structure.
Recommendations
- AI detected serious security threats
Audit Metadata