tripit
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill has a significant indirect prompt injection surface (Category 8) because it handles external itinerary data and has high-impact capabilities like updating or deleting trip resources.
- Evidence Chain:
- Ingestion points: User-provided trip names, locations, and travel details.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: Subprocess execution of 'tripit' CLI with CRUD and file-attach capabilities.
- Sanitization: No evidence of input validation or escaping.
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill instructs the installation of the 'tripit' package from a public registry (npm), which is an unverifiable dependency.
- Dynamic Execution (MEDIUM): Shell commands are used extensively through 'fnox' and 'bun'. There is a risk of command injection if parameters like trip names or file paths are not correctly handled.
- Data Exposure & Exfiltration (MEDIUM): The 'documents attach' command allows the agent to read local files and upload them to a remote service, which could be misused to access and upload sensitive files from the local filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata