WriteStory
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Mandatory shell execution in
SKILL.md. The skill instructions require the agent to execute acurlPOST request tolocalhost:8888before any other action. This is a non-standard side effect that can be used for local service probing (SSRF) or triggering unauthorized actions on the user's local network. - [PROMPT_INJECTION] (HIGH): High-risk Indirect Prompt Injection surface. The skill is designed to ingest and process large volumes of untrusted user-provided text (stories, notes, chapters) and perform complex operations based on that data.
- Ingestion points:
Workflows/Interview.md(Step 1: 'Read ALL of it first') andWorkflows/Revise.md(Step 2: 'Read the existing chapter/scene/passage in full'). - Boundary markers: Absent. The skill lacks any delimiters or instructions to treat user-provided story content as untrusted data.
- Capability inventory: File system write access (
Workflows/BuildBible.mdcreates PRD files), Network access (curlinSKILL.md), and the ability to spawn/configure additional AI agents (Workflows/Explore.md). - Sanitization: Absent. There is no logic to escape or sanitize instructions that might be embedded within user-provided story text.
- [COMMAND_EXECUTION] (MEDIUM): Local environment access. The skill attempts to load and apply 'SKILLCUSTOMIZATIONS' from
~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/WriteStory/, which involves searching for and reading files from the user's home directory based on computed paths.
Recommendations
- AI detected serious security threats
Audit Metadata