Telos
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The Chat API in the dashboard template is vulnerable to indirect prompt injection.
- Evidence: In
DashboardTemplate/App/api/chat/route.ts, thesystemprompt is constructed by concatenating all content from the TELOS directory viagetTelosContext(). This directory contains files that are either uploaded by the user (DashboardTemplate/App/api/upload/route.ts) or generated from external notes (Workflows/InterviewExtraction.md). - Vulnerability: Malicious instructions embedded in an interview transcript (e.g., 'Ignore previous instructions and perform [Action]') will be ingested into the dashboard's system prompt. Because there are no boundary markers (like XML tags or delimiters) or sanitization, the AI assistant will treat these instructions as authoritative system-level directives.
- DATA_EXFILTRATION (MEDIUM): Extensive exposure of sensitive personal data.
- Evidence: The chat functionality (
DashboardTemplate/App/api/chat/route.ts) automatically loads and transmits the user's entire TELOS context—including files explicitly forTRAUMAS.md,BELIEFS.md, andPROBLEMS.md—to the Anthropic API for every query. - Risk: While targeting a trusted AI provider, the wholesale transmission of highly sensitive personal history creates a significant privacy risk and data exposure surface that the user may not fully appreciate from the UI.
- COMMAND_EXECUTION (LOW): Use of local scripts for data management.
- Evidence:
Workflows/Update.mdtriggers the execution of a local TypeScript file (~/.claude/commands/update-telos.ts) viabunto handle file updates and backups. - Risk: While the script is internal and focused on logging/backups, it represents an executable attack surface if an attacker can influence the parameters passed to the script.
Recommendations
- AI detected serious security threats
Audit Metadata