radicale
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains forceful instructions aimed at overriding the agent's decision-making process, using language like '⚠️ MANDATORY SKILL INVOCATION ⚠️', 'YOU MUST invoke', and stating that failure to do so 'violates your operational requirements.'
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) as it processes data from an external Radicale server.
- Ingestion points: The script scripts/radicale-api.py retrieves untrusted data such as event summaries, descriptions, and contact names from a remote Radicale server.
- Boundary markers: No specific delimiters or instructions are used to treat the retrieved data as untrusted when presented to the agent.
- Capability inventory: The skill allows creating, deleting, and searching events and contacts through scripts/radicale-api.py.
- Sanitization: No sanitization or validation of the remote content is performed before returning it to the agent environment.
- [DATA_EXFILTRATION]: The script scripts/radicale-api.py reads sensitive credentials from the local file path ~/.claude/.env. Although these credentials are used for the intended purpose of authenticating with the Radicale server, accessing .env files is a known data exposure risk.
Audit Metadata