my-context-sync
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes multiple local Python scripts to perform data collection.
- Evidence includes calls to
uv run python .claude/skills/my-context-sync/scripts/gmail_fetch.py,calendar_fetch.py, andgithub_fetch.py. - The GitHub script is executed using a hardcoded absolute Windows path:
C:/Users/ash/.claude/skills/my-context-sync/scripts/github_fetch.py. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core function of aggregating untrusted external data.
- Ingestion points: Reads content from Slack messages, Gmail body text, GitHub issues/PRs, and Notion pages.
- Boundary markers: The skill description does not specify the use of delimiters (e.g., XML tags or triple quotes) to separate untrusted content from agent instructions during the "Result Integration" phase.
- Capability inventory: The agent has the capability to write files to the local disk and execute sub-tasks based on the aggregated information.
- Sanitization: There is no mention of filtering, escaping, or sanitizing the data collected from external sources before it is processed by the LLM.
- [CREDENTIALS_UNSAFE]: The skill documentation describes unsafe methods for handling secrets and authentication tokens.
- The skill explicitly mentions passing
GITHUB_PERSONAL_ACCESS_TOKENdirectly via a command-line environment variable prefix, which can expose the token in process lists or shell history. - It notes that
google_token.jsonis stored locally within the skill directory for Gmail and Calendar access.
Audit Metadata