SECUpdates
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill includes a 'Voice Notification' section that requires the agent to execute a
curlcommand tohttp://localhost:8888/notifybefore performing any other task. This mandatory command execution to a local port is a dangerous pattern that could be used to exploit local services, bypass firewalls, or interact with sensitive internal APIs. - [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process content from various external security news websites. This creates a significant surface for indirect prompt injection where malicious instructions hidden in news articles could manipulate the agent's output or trigger secondary actions.
- Ingestion points: tldrsec.com, no.security, krebsonsecurity.com, thehackernews.com, schneier.com, risky.biz
- Boundary markers: Absent; the skill lacks delimiters or instructions to ignore embedded commands in the fetched content.
- Capability inventory: Shell command execution (
curl), file system read/write (cat, state file updates). - Sanitization: Absent; no escaping or validation of the fetched summaries is performed before processing.
- [Data Exposure] (LOW): The skill accesses and writes to files within the user's home directory (
~/.claude/skills/...) for state tracking and customization. While functional for the skill, this demonstrates broad filesystem access capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata