fastnote-cli-operator
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute a local Python script (scripts/fastnote_cli.py) via the system shell to interact with notes.
- [DATA_EXFILTRATION]: The operator script includes arguments like --content-file and --db that allow the agent to read arbitrary files or connect to any SQLite database on the local filesystem. This could be exploited to expose sensitive data if the agent is directed toward unauthorized paths.
- [PROMPT_INJECTION]: The skill processes untrusted data stored in a database, creating a surface for indirect prompt injection. Ingestion points: Data is read from SQLite databases and local files via fastnote_cli.py. Boundary markers: Results are returned in JSON format, but the agent lacks specific delimiters or instructions to ignore embedded commands within the note text. Capability inventory: The agent can read files, write to databases, and execute local scripts as specified in SKILL.md. Sanitization: No input validation or output sanitization is performed on note content before it is processed by the agent.
Audit Metadata