napkin
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes platform-specific shell commands to open the browser and interact with the system clipboard. Evidence: 'open', 'xdg-open', and 'start' are used to launch the HTML whiteboard; 'pbpaste' (macOS), 'xclip' (Linux), and 'Get-Clipboard' (Windows) are used to extract data from the user's clipboard.
- [DATA_EXFILTRATION]: The skill reads the entire contents of the system clipboard to extract supplementary JSON data. This behavior can lead to unintentional data exposure if the user has sensitive information (e.g., credentials, private keys, or personal messages) on their clipboard when the 'check the napkin' command is invoked.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interprets untrusted content from external files and the clipboard without adequate isolation.
- Ingestion points: The skill reads 'napkin-snapshot.png' from '
/Downloads' or '/Desktop' and reads text directly from the system clipboard. - Boundary markers: Absent. Whiteboard data is interpreted directly by the model without the use of protective delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent has the ability to write files (e.g., copying the HTML template) and execute shell commands for clipboard and browser interaction.
- Sanitization: None. The skill does not validate or sanitize the visual or text content retrieved from the whiteboard before passing it to the model for interpretation.
Audit Metadata