things-week-ahead-digest
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It ingests and processes task titles, project names, and notes from the Things application (via MCP tools or JSON files) to generate summaries and suggestions. Maliciously crafted task descriptions or notes could potentially influence the agent's behavior or output if interpreted as instructions.
- Ingestion points: MCP tool outputs (e.g.,
things_read_todos) and JSON input files processed byscripts/build_digest.py. - Boundary markers: The skill does not define explicit delimiters or 'ignore' instructions for the data it processes.
- Capability inventory: The skill uses MCP tools for reading data, performs local file reads, and executes a local Python script.
- Sanitization: No sanitization or escaping of external task content is performed before it is presented to the agent or processed by the script.
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdandreferences/automation-prompts.mddirect the agent to execute a local Python script (scripts/build_digest.py). While the provided script is functional and uses standard libraries without malicious intent, executing local scripts is a capability that should be monitored.
Audit Metadata