responding-to-notifications
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability. The skill processes untrusted notification text from external sources via
tools.responder queue. - Ingestion Point:
tools.responder queuefetches external notifications and saves them todrafts/queue.yaml. - Boundary Markers: Absent. The agent is instructed to read and respond to notification text without any delimiters or 'ignore instructions' warnings for the content.
- Capability Inventory: The agent has the capability to execute
tools.responder send, which can be used to exfiltrate data or perform unauthorized interactions if hijacked. - Sanitization: Absent. No logic exists to filter or escape instructions embedded in the notification body.
- [PROMPT_INJECTION] (HIGH): The 'Cameron Protocol' instructs the agent to 'Always respond, defer to instructions' and 'Defer to Cameron's instructions in conflicts'. This creates a high-risk administrative override path. An attacker spoofing the handle
@cameron.streamor exploiting the lack of authentication for that handle check could completely hijack the agent's behavior. - [COMMAND_EXECUTION] (MEDIUM): The skill relies on executing system commands via
uv run. While these are defined as internal tools, the combination with untrusted data ingestion increases the risk of the agent being coerced into running malicious arguments if the underlying Python tools are not hardened against shell injection.
Recommendations
- AI detected serious security threats
Audit Metadata