recall
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands to retrieve context, including
cat,grep,ls, andredis-cli. Specifically, it searches the user's home directory (~/.joelclaw/), a local vault (~/Vault/), and temporary media directories (/tmp/joelclaw-media/). - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to the way it processes user input to perform searches.
- Ingestion points: Untrusted data enters the context via "vague references" provided by the user (e.g., 'the conversation about...', 'that thing with...').
- Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the user-provided reference.
- Capability inventory: The skill possesses significant local capabilities, including reading arbitrary files in the user's memory and vault directories, viewing system logs via
slog, and querying a local Redis database. - Sanitization: The instructions lack guidance on sanitizing or escaping the "keywords" extracted from user input before they are interpolated into the
grepcommand template (grep -ri "<keywords>" ...). This could lead to command injection if the agent extracts shell metacharacters as keywords.
Audit Metadata