Skills
skills/davepoon/buildwithclaude/ops-inbox/Gen Agent Trust Hub

ops-inbox

Fail

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides explicit instructions to download source code from external, non-trusted GitHub repositories and compile them locally using go build and make. Specifically:
  • SKILL.md (line 173) and CHANNELS.md (line 12): git clone https://github.com/Lifecycle-Innovations-Limited/wacli.git followed by go build and installation to /usr/local/bin/.
  • CHANNELS.md (line 132): git clone https://github.com/steipete/gogcli.git followed by make.
  • [COMMAND_EXECUTION]: The skill utilizes dynamic context injection in SKILL.md (line 116) using the ! pattern: ! ${CLAUDE_PLUGIN_ROOT}/../../bin/ops-unread 2>/dev/null || echo '{}' . This executes a binary relative to the plugin root directory as soon as the skill is loaded, which could be exploited if the local environment is compromised.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8) because its primary function is to ingest and process untrusted data from external communication channels (Email, WhatsApp, Slack, Telegram, Notion, Discord) and generate replies based on that content.
  • Ingestion points: Data enters the context via wacli messages list (SKILL.md, line 142), gog gmail thread get (line 230), mcp__claude_ai_Notion__notion-get-comments (line 271), and ops-discord read (line 313).
  • Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present in the drafting prompts.
  • Capability inventory: The skill has access to powerful tools including Bash, SendMessage, wacli send, and gog gmail send (defined in allowed-tools and lines 62, 81 of SKILL.md).
  • Sanitization: No evidence of sanitization or validation of the ingested message content before it is used to influence agent behavior or draft replies.
  • [EXTERNAL_DOWNLOADS]: The configuration guide (CHANNELS.md) recommends installing several external Node.js packages and CLI tools from public registries without specifying versions, including @modelcontextprotocol/server-slack, mcp-telegram-user, and @notionhq/notion-mcp-server.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 29, 2026, 06:48 AM