morning-briefing
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests data from external sources such as OmniFocus tasks/notes and input text files without implementing sanitization or boundary markers. This creates a surface where malicious instructions placed in a task note could influence the agent's behavior during briefing generation.
- Ingestion points: OmniFocus task names, notes, and projects (
scripts/get_due_flagged.js); input text processed for pronunciations (scripts/apply_pronunciations.js). - Boundary markers: Absent. Templates like
references/podcast-script-template.mdinterpolate data directly into the script structure without delimiters. - Capability inventory: File system write access via
apply_pronunciations.js; context aggregation for email and audio generation. - Sanitization: None. Data is read and passed directly into placeholders.
- [Data Exposure] (LOW): The script
scripts/get_due_flagged.jsaccesses personal information from the user's OmniFocus database, including task notes which may contain sensitive details. While this is the intended functionality, it constitutes the ingestion of private data into the LLM context. - [Command Execution] (SAFE): Use of
osascriptfor AppleScript andbunfor JavaScript execution is restricted to local scripts provided within the skill. No patterns were found where untrusted network data influences the command-line arguments or execution flow.
Audit Metadata