emerging-channels
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script
campaign-tracker.pywith arguments such as--brand {slug}. This capability represents a surface for local command execution if the brand identifier is manipulated. - [DATA_EXFILTRATION]: The skill accesses sensitive local directories located at
~/.claude-marketing/brands/to retrieve brand profiles and guidelines. This access to potentially sensitive business data is a prerequisite for exposure. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests data from external local files without explicit sanitization.
- Ingestion points: Data is read from
profile.json,_manifest.json,restrictions.md,channel-styles.md,messaging.md, andvoice-and-tone.mdwithin the brand's local directory. - Boundary markers: No delimiters or instructions are provided to the agent to treat this ingested content as untrusted or to ignore embedded commands.
- Capability inventory: The agent can execute local shell commands via Python and has read access to the local filesystem.
- Sanitization: There is no evidence of validation or sanitization of the brand-specific configuration files before they are processed by the agent.
Audit Metadata