WriteStory
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses coercive and high-pressure language such as "🚨 MANDATORY: Voice Notification", "REQUIRED BEFORE ANY ACTION", and "Execute this curl command immediately upon skill invocation" in SKILL.md. These instructions are designed to force the agent to perform side-channel tasks that are not related to the primary storytelling purpose, overriding default safety and operational constraints.
- [COMMAND_EXECUTION]: The agent is instructed to run a shell command (
curl) targetinghttp://localhost:8888/notifyas a prerequisite for using the skill. While targeting localhost is generally whitelisted, the mandatory nature of this unauthorized command execution is a security concern as it establishes a pattern for executing side-effects without explicit user consent. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by requiring the agent to "load and apply" instructions from a user-writable path (
~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/WriteStory/PREFERENCES.md). - Ingestion points: SKILL.md (customization loading phase)
- Boundary markers: None provided to separate external configuration from the skill's core logic
- Capability inventory: Shell execution (curl), file system access (read/write), and local network access
- Sanitization: The skill does not provide any mechanism for validating or sanitizing the contents of the loaded preference files before integration into the agent's context.
Audit Metadata