message-test
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes an external script 'audience-simulator.py' by interpolating user-provided variables such as '{id}' and 'Message variants' into the command line. This creates a high risk of command injection, as an attacker could provide input containing shell metacharacters to execute arbitrary system commands.
- [DATA_EXFILTRATION]: The skill accesses files in the user's home directory ('~/.claude-marketing/') using an interpolated '{slug}' variable. This pattern is highly susceptible to path traversal attacks, potentially allowing an attacker to read sensitive files outside the intended directory by providing a manipulated slug (e.g., '../../.ssh/id_rsa').
- [PROMPT_INJECTION]: The skill processes untrusted 'Message variants' and CRM behavioral data, which serves as a surface for indirect prompt injection. 1. Ingestion points: User-provided message text and local profile files. 2. Boundary markers: Absent; there are no instructions for the agent to treat this data as non-executable text or to ignore embedded instructions. 3. Capability inventory: The skill has the capability to execute shell commands and perform extensive local file system reads. 4. Sanitization: Absent; no validation or escaping of input strings is performed before they are used in system operations or logic.
Recommendations
- AI detected serious security threats
Audit Metadata