Skills
skills/jmagar/claude-homelab/tailscale/Gen Agent Trust Hub

tailscale

Pass

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill uses forceful instructional language in SKILL.md to influence agent behavior.
  • Evidence: The skill contains headers like '⚠️ MANDATORY SKILL INVOCATION ⚠️' and statements such as 'Failure to invoke this skill when triggers occur violates your operational requirements.' These instructions are designed to ensure the agent uses the tool whenever Tailscale-related topics are mentioned, rather than bypassing safety protocols.
  • [EXTERNAL_DOWNLOADS]: The documentation references a remote script execution pattern for software installation.
  • Evidence: Both references/troubleshooting.md and references/quick-reference.md provide the command curl -fsSL https://tailscale.com/install.sh | sh. This is a remote code execution pattern, but it targets the official domain of Tailscale, which is a well-known and trusted service provider.
  • [COMMAND_EXECUTION]: The skill performs local system operations and network management via CLI and shell scripts.
  • Evidence: The skill makes extensive use of the tailscale CLI for connectivity testing, file transfers (tailscale file cp), and network exposure (tailscale funnel). It also uses a custom shell script scripts/ts-api.sh to wrap API calls.
  • [DATA_EXFILTRATION]: The skill reads locally stored credentials and transmits them to an external API.
  • Evidence: scripts/ts-api.sh reads a sensitive API key from ~/.claude-homelab/.env and transmits it in the authorization headers to https://api.tailscale.com. This is the intended and necessary behavior for the skill to perform its stated function of managing the user's Tailscale network.
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via data ingested from the Tailscale API.
  • Ingestion points: Device lists, hostnames, and user tags fetched by scripts/ts-api.sh and presented to the agent.
  • Boundary markers: Absent. There are no explicit instructions for the agent to ignore instructions that might be embedded in device metadata.
  • Capability inventory: The skill possesses powerful capabilities including file transfer, network service exposure (funnel), and administrative actions like deleting devices or creating auth keys.
  • Sanitization: Data is parsed using jq but is not filtered for malicious natural language instructions before being added to the context.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 7, 2026, 03:51 AM