fresh-auth
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The
office-cli.jsandoffice-cli.tsscripts execute the system utilitypdftoppmusingchild_process.spawnto convert PDF pages into images for processing. - [EXTERNAL_DOWNLOADS]: The skill connects to
auth.freshhub.aito proxy requests to Microsoft and Notion services, and uses theopenrouter.aiAPI for document-to-markdown conversion tasks. - [DATA_EXFILTRATION]: Document contents, including text and images, are transmitted to the
openrouter.aiAPI during the conversion process. This is a functional requirement but involves sending potentially sensitive user data to a third-party AI provider. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the
drive convertcommand. External content from documents is included in prompts sent to an LLM without strict isolation, allowing malicious files to potentially influence the conversion output. - Ingestion points:
office-cli.js(Drive files and PDF pages),notion-query.js(Notion page content). - Boundary markers: Document content is interpolated into LLM prompts without explicit delimiters or 'ignore' instructions for the embedded content.
- Capability inventory: Includes file system writes, network requests, and subprocess execution (
pdftoppm). - Sanitization: Uses
stripHtmlfor email bodies but lacks specific sanitization for prompt injection vectors in document text. - [DATA_EXPOSURE]: The skill manages session tokens stored at
~/.config/fresh-auth/agent-session. While access is restricted to the owner (0600), these files contain sensitive identifiers for the authentication proxy.
Audit Metadata