Skills
skills/fellowship-dev/dogfooded-skills/write-report/Gen Agent Trust Hub

write-report

Fail

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill reads the .env file at /home/ubuntu/projects/fellowship-dev/claude-buddy/.env to retrieve the QUEST_TOKEN. Accessing secret files is a high-risk activity for an automated agent.\n- [DATA_EXFILTRATION]: The skill reads the content of report files and transmits them via a curl POST request. Although targeted at 127.0.0.1, this pattern of secret retrieval followed by network transmission is a characteristic of data exfiltration.\n- [COMMAND_EXECUTION]: The skill uses python3 -c to generate JSON payloads while interpolating shell variables like $REPORT_TITLE directly into the script string. This creates a potential command injection vulnerability if the variables contain malicious payloads.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 26, 2026, 02:53 AM