sag
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata triggers the installation of a binary from a third-party Homebrew tap (steipete/tap/sag). This involves downloading executable code from a source outside the predefined trusted organizations list.\n- [COMMAND_EXECUTION]: The skill relies on the execution of the
sagbinary through shell commands to perform its core functionality of text-to-speech generation and local playback.\n- [PROMPT_INJECTION]: The skill defines a workflow for generating voice responses that interpolates user-controlled text directly into a bash command:sag -v Clawd -o /tmp/voice-reply.mp3 'Your message here'. This creates a surface for indirect prompt injection (Category 8):\n - Ingestion points: Untrusted user input enters the agent context when a user requests a 'voice' reply in SKILL.md.\n
- Boundary markers: The command template uses quotes around the user-provided text, which provides basic shell-level separation but does not prevent manipulation of the tool logic or TTS specific tags.\n
- Capability inventory: The skill utilizes the
sagcommand to write audio files to /tmp/ and play them back as described in SKILL.md.\n - Sanitization: There is no evidence of sanitization or validation of the external content before it is interpolated into the executable command string.
Audit Metadata