meeting-prep
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs shell commands for cron job creation (
openclaw cron add) using meeting titles sourced from external calendar data. If these titles contain shell metacharacters such as backticks or semicolons, it could lead to arbitrary code execution on the host system.\n- [DATA_EXFILTRATION]: The skill reads sensitive user identity and workspace configuration from~/executive-assistant-skills/config/user.jsonand transmits research briefs containing attendee details and meeting context to external platforms (WhatsApp and Slack).\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of untrusted data. 1. Ingestion points: Meeting titles, attendee names, email history threads, and web search results for LinkedIn/Crunchbase. 2. Boundary markers: None identified; untrusted data is directly interpolated into prompts and messages. 3. Capability inventory: Includes shell execution, file system access, and network operations viacurl. 4. Sanitization: No input validation or sanitization is performed on content extracted from external sources.\n- [COMMAND_EXECUTION]: The skill executes local Python scripts (skill_log.py,meeting_prep_assertions.py) with command-line arguments derived from user configuration and runtime data, which could be manipulated if workspace variables are compromised.
Recommendations
- AI detected serious security threats
Audit Metadata