Skills
skills/danielmiessler/personal_ai_infrastructure/Interceptor/Gen Agent Trust Hub

Interceptor

Fail

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill downloads source code from an external GitHub repository (github.com/Hacker-Valley-Media/slop-browser) and executes it after local compilation. This establishes a remote-code-execution pipeline where updates to the repository are automatically pulled and run with high privileges.
  • Evidence: Workflows/Update.md contains git reset --hard origin/main, bun install, and bash scripts/build.sh.
  • [PRIVILEGE_ESCALATION]: The Update workflow requires the use of sudo to copy binaries into system directories (/opt/homebrew/bin/ and /usr/local/bin/).
  • Evidence: Workflows/Update.md uses sudo cp ~/Projects/interceptor/dist/interceptor-bridge /usr/local/bin/interceptor-bridge.
  • [PERSISTENCE_MECHANISMS]: The skill installs a macOS LaunchAgent to ensure a background helper process ('interceptor-bridge') is automatically started and kept running across sessions.
  • Evidence: Workflows/Update.md writes a plist to ~/Library/LaunchAgents/com.interceptor.bridge.plist and executes launchctl bootstrap.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill sets up a UNIX domain socket at /tmp/interceptor-bridge.sock with zero authentication. This socket grants any local process access to sensitive OS-level capabilities including clipboard reading, screen capture, audio monitoring, and synthetic input simulation.
  • Evidence: SKILL.md and Workflows/Update.md section 6c explicitly state: "There is ZERO authentication on the socket... any local process... can connect and execute every bridge action."
  • [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection by reading untrusted web content and network logs while maintaining powerful system capabilities.
  • Ingestion points: interceptor read, interceptor inspect, and interceptor net log in SKILL.md and various workflows.
  • Boundary markers: Absent. The skill does not implement delimiters or instructions to ignore embedded commands in the data it reads.
  • Capability inventory: Subprocess calls (sudo, launchctl, cp), file system writes, and dynamic JavaScript execution (interceptor eval) across all scripts.
  • Sanitization: Absent. External content is ingested directly into the agent's context without filtering or validation.
  • [DYNAMIC_EXECUTION]: The skill uses the eval command to execute arbitrary JavaScript in the browser's context, which can be used to bypass security controls or access sensitive session data.
  • Evidence: interceptor eval <code> [--main] in SKILL.md and used for error checking in Workflows/Reproduce.md.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 2, 2026, 01:03 AM