PAIUpgrade
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill employs strong imperative directives such as "MANDATORY" and "REQUIRED BEFORE ANY ACTION" in
SKILL.mdto enforce the execution of a background notification command viacurlimmediately upon skill invocation. - [PROMPT_INJECTION]: Indirect prompt injection surface exists as the skill is designed to ingest and analyze untrusted third-party content. 1. Ingestion points: YouTube transcripts, GitHub READMEs (
Workflows/Upgrade.md), and community forums (Workflows/ResearchUpgrade.md). 2. Boundary markers: Absent; there are no instructions to ignore embedded commands in external data. 3. Capability inventory:curl,gh(GitHub CLI),yt-dlp, andbun(Tools execution). 4. Sanitization: Absent; content is processed directly for technique extraction. - [DATA_EXFILTRATION]: The skill accesses highly sensitive personal files to customize its recommendations, including the user's TELOS goals and challenges (
~/.claude/PAI/USER/TELOS/), active work state (~/.claude/MEMORY/STATE/current-work.json), and system settings (~/.claude/settings.json). This access is inherent to the skill's primary function. - [COMMAND_EXECUTION]: Automated orchestration of multiple CLI tools is present across workflows, including
curlfor localhost notifications (http://localhost:8888/notify),yt-dlpfor extracting YouTube metadata, andghfor performing repository searches and reading content. - [EXTERNAL_DOWNLOADS]: The skill performs automated monitoring of various external sources. While official Anthropic news, documentation, and GitHub repositories are considered trusted/well-known services, the skill also evaluates content from third-party YouTube channels and trending GitHub projects.
Audit Metadata