blog-writer
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script (
~/.claude/skills/_generate_image.py) usinguv run. The command incorporates an AI-generated visual metaphor as a prompt argument. This pattern introduces a risk of command injection if the agent includes shell-active characters (like backticks or semicolons) in the generated string. - [DATA_EXFILTRATION]: The skill operates on sensitive local directories, including the user's Obsidian vault and a private development path (
/Users/maroffo/Development/private/blog). Since the skill also has access to network-enabled tools (WebFetch,WebSearch), there is a risk that sensitive local information could be exfiltrated if the agent is compromised or misled into sending vault contents to external endpoints. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from external sources (web search results) and the user's Obsidian vault (including potentially malicious 'Clippings') and processes them as primary writing material.
- Ingestion points: Data is read from the Obsidian vault (e.g.,
Second Brain,Clippings) and retrieved from the internet usingWebFetchandWebSearch. - Boundary markers: The instructions lack explicit boundary markers or delimiters to separate untrusted data from system instructions during processing.
- Capability inventory: The agent has extensive capabilities including shell command execution (
Bash), local file modification (Write,Edit), and network access (WebFetch). - Sanitization: There is no mention of sanitizing or validating data retrieved from external or local sources before it is interpreted by the agent.
Audit Metadata