token-economist
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest untrusted data from local files or raw text for 'smart summarization' and 'intelligent chunking.'
- Ingestion points: The
input(file path) andtext(raw string) arguments provide direct entry for external content into the agent's context. - Boundary markers: There are no markers or delimiters defined in the
SKILL.mdor type definitions to separate the untrusted data from the agent's core instructions. - Capability inventory: The skill processes this data to create 'information-dense' summaries intended for downstream LLM processing. This allows malicious instructions hidden in the input text to influence the agent's subsequent behavior.
- Sanitization: No evidence of sanitization, filtering, or instruction-stripping is present.
- Data Exposure & Credential Handling (MEDIUM): The 'Knowledge Protocol' in
SKILL.mdexplicitly mentions integrating 'Confidential' and 'Personal' knowledge tiers, specifically stating it 'prioritizes the most specific secrets.' - This behavior is highly suspicious for a token usage utility. It suggests the skill may attempt to access sensitive files (like
.envor credential stores) under the guise of 'optimizing' them, potentially leading to the inclusion of secrets in summaries or outputs. - Missing Implementation (INFO): The
package.jsonfile identifiesscripts/analyze.cjsas the main entry point, but this file is missing from the skill package. This prevents verification of how the script handles the file paths or whether it executes arbitrary commands.
Recommendations
- AI detected serious security threats
Audit Metadata