Investigation
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's workflows (e.g.,
ReverseLookup.md,SocialMediaSearch.md) explicitly instruct the agent to install external third-party Python packages such asholeheandsherlock-projectusingpip installduring the investigation process. - [COMMAND_EXECUTION]: The skill mandates the execution of
curlcommands to a local endpoint (http://localhost:8888/notify) as a 'MANDATORY: Voice Notification' step across almost every workflow. Furthermore,EntityTools.mdcontains executable PowerShell snippets for Active Directory and system enumeration, which an agent might execute if prompted by processed data. - [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Data is ingested from 279+ external OSINT sources, social media bios, public records, and search engine results.
- Boundary markers: There are no explicit instructions or delimiters used when passing untrusted external data to the parallel research agents (32+ agents in some workflows).
- Capability inventory: The agent has capabilities for file system access (
~/.claude/), network operations (curl), and package management (pip). - Sanitization: No sanitization or validation of the ingested data is present before it is used to influence further task orchestration.
- [DATA_EXFILTRATION]: The skill performs extensive file system operations, reading from and writing to sensitive application paths such as
~/.claude/MEMORY/and~/.claude/History/. It also dynamically loads configurations and 'PREFERENCES.md' from user-controlled paths in~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/, which could be exploited to manipulate agent behavior.
Audit Metadata