daily-rhythm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it ingests untrusted external content and provides it to the agent to influence daily behavior.
- Ingestion points: External data is pulled from Google Tasks titles and Google Calendar ICS events into
memory/google-tasks.jsonand then aggregated into the 'Morning Brief'. - Boundary markers: The instructions describe compiling sections into a 'formatted message' but do not specify the use of delimiters or 'ignore instructions' warnings for external content.
- Capability inventory: The skill has the ability to execute shell scripts (
morning-brief.sh), Python scripts, and perform filesystem writes tomemory/andHEARTBEAT.md. - Sanitization: There is no mention of sanitizing or escaping task titles or calendar descriptions before they are interpolated into the agent's prompt context.
- [CREDENTIALS_UNSAFE] (HIGH): The setup instructions require the user to store a high-privilege Stripe Secret Key (
sk_live_...) in a plaintext.env.stripefile and Google OAuth credentials in a fixed local directory, increasing the risk of credential exposure if the system is compromised. - [COMMAND_EXECUTION] (MEDIUM): The skill facilitates persistence and automated execution by instructing the user to install multiple system-level cron jobs that run local shell and Python scripts. This creates a mechanism where a successful injection could lead to persistent malicious command execution.
Recommendations
- AI detected serious security threats
Audit Metadata