SAG
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies a requirement to install the
sagbinary from a third-party Homebrew tap (steipete/tap/sag). While the developer is known in the macOS community, this remains an external dependency from a non-trusted vendor list. - [COMMAND_EXECUTION]: The primary functionality of the skill is achieved through the execution of shell commands (e.g.,
sag -v Clawd -o /tmp/voice-reply.mp3 "Your message here"). This involves spawning subprocesses to run thesagCLI tool. - [CREDENTIALS_UNSAFE]: The skill requires the environment variables
ELEVENLABS_API_KEYorSAG_API_KEY. These keys grant access to a paid service and must be handled securely by the agent environment. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection and shell command injection by interpolating untrusted data into command-line arguments.
- Ingestion points: The text to be spoken is taken from user requests and passed directly to the
sagcommand as shown inSKILL.mdexamples. - Boundary markers: Basic double-quoting is used in examples, but there are no explicit instructions or mechanisms to sanitize or ignore embedded shell control characters (like backticks or subshells).
- Capability inventory: The skill possesses the capability to execute the
sagbinary and write output to the/tmpdirectory. - Sanitization: No sanitization, escaping, or validation of the input text is provided within the skill instructions.
Audit Metadata