moai-session-info
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing and display of local project data.
- Ingestion points: Content is read from
.moai/specs/, Git logs (.git/), and the project's configuration file (.moai/config.json). - Boundary markers: Data is interpolated into response templates using simple braces (e.g.,
{last_commit_message}) without explicit delimiters or instructions to the agent to disregard any embedded commands within that content. - Capability inventory: The skill utilizes
Bash,Read, andGlobtools. If an attacker-controlled commit message or SPEC file contains malicious instructions that the agent subsequently follows, these capabilities could be leveraged for unauthorized actions. - Sanitization: There is no evidence of sanitization or filtering of the content read from the file system before it is presented to the agent.
- [EXTERNAL_DOWNLOADS]: The skill references external URLs and package registries for version information.
- Evidence: Mentions
github.com/moai-adk/moai-adkand suggests usingpip installfor themoai-adkpackage. These references target trusted services and the vendor's own repository, representing standard and safe functionality.
Audit Metadata