chief-of-staff
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The
generate-newsletter-digestcommand transmits summarized content derived from the user's private Gmail messages to an external API endpoint (https://hartreeworks.org/api/newsletter-digest). While the endpoint is owned by the vendor, sending processed private email data to a remote server constitutes a significant privacy risk. - [DATA_EXFILTRATION]: The skill accesses and processes highly sensitive local files containing the full history of the user's interactions with Claude, including
~/.claude/history.jsonland detailed debug logs in~/.claude/debug/*.txt. - [COMMAND_EXECUTION]: The skill frequently executes local Python and shell scripts using hardcoded absolute paths (e.g.,
/Users/ph/.agents/skills/chief-of-staff/generate_digest.py). This demonstrates a lack of sandboxing and could be exploited if the local file system or the scripts themselves are compromised. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted external content (newsletters and chat logs) to generate summaries used in briefings.
- Ingestion points: Gmail messages (via
generate-newsletter-digest.md) and Claude Code chat logs (viagenerate-chat-digest.md). - Boundary markers: No delimiters or safety instructions are provided to the LLM agents (Haiku/Opus) to prevent them from obeying instructions embedded in the newsletters or logs.
- Capability inventory: The skill possesses the ability to execute system commands and perform network POST requests.
- Sanitization: There is no evidence of sanitization or filtering of external data before it is processed by the AI models.
- [EXTERNAL_DOWNLOADS]: The skill documentation instructs users to install components via
npx skills add HartreeWorks/skill--chief-of-staff, which involves downloading and executing code from a remote repository.
Audit Metadata