activitykit
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains deceptive instructions referencing future software versions that do not exist, such as iOS 26, Swift 6.2, and macOS Tahoe. This technique can be used to bypass model knowledge constraints or influence agent behavior by simulating a non-existent environment.
- [PROMPT_INJECTION]: The skill documents an implementation pattern vulnerable to indirect prompt injection. Ingestion points: Data from external APNs push notification payloads is ingested and displayed directly in the user interface as described in references/activitykit-patterns.md. Boundary markers: There are no boundary markers or instructions provided to the agent or the implementation code to treat the incoming payload data as untrusted. Capability inventory: The skill uses Activity.request and activity.update for system UI presentation and performs network requests via ServerAPI.shared.registerActivityToken to transmit push tokens to a remote server. Sanitization: The implementation patterns do not include sanitization, validation, or escaping logic for the content received from external sources.
- [EXTERNAL_DOWNLOADS]: The documentation references in references/activitykit-patterns.md point to sosumi.ai instead of the official Apple developer portal. This is a non-standard domain which may host misleading or malicious content.
Audit Metadata