journey-design
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads from paths outside of its immediate directory, specifically targeting the user's home directory (
~/.claude-marketing/brands/). It accesses files such as_active-brand.json,profile.json, and_manifest.json, which likely contain sensitive business or persona data. - [COMMAND_EXECUTION]: The process involves executing a local script
journey-engine.pyvia the command line. This script is invoked with data derived from the journey design process, which can include unvalidated user inputs. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
- Ingestion points: Data enters the system via user-provided 'Target audience segments', 'Content assets available', and 'Personalization signals', as well as via brand profiles loaded from the file system.
- Boundary markers: The instructions do not define any boundary markers or delimiters to separate untrusted content from the system instructions.
- Capability inventory: The skill has the capability to execute shell commands (
journey-engine.py) and orchestrate multiple sub-agents (journey-orchestrator,content-creator,email-specialist). - Sanitization: There is no evidence of sanitization or validation of the input data before it is passed to the execution engine or the secondary agents.
Audit Metadata