digital-brain
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute local Python scripts for periodic tasks, specifically
python agents/scripts/weekly_review.pyandagents/scripts/stale_contacts.py. - [DATA_EXFILTRATION]: The skill centralizes and accesses highly personal information across various files, such as relationship histories, contact details, and private goals (
network/contacts.jsonl,network/interactions.jsonl,operations/goals.yaml). While these files are intended for user organization, they represent a significant data exposure surface. - [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection through the ingestion of external data. It captures bookmarks, research, and learning materials into the
knowledge/directory and develops content ideas from these sources without explicit sanitization or instruction boundary markers. - Ingestion points: Data entering the system through
knowledge/(bookmarks/research) andnetwork/interactions.jsonl(external interaction logs). - Boundary markers: No specific delimiters or warnings to ignore embedded instructions are provided in the skill documentation.
- Capability inventory: The skill utilizes file system read/write operations and shell-based script execution (Python).
- Sanitization: There is no evidence of input validation, escaping, or filtering for content ingested from external sources.
- [EXTERNAL_DOWNLOADS]: The skill references documentation and resources from the author's GitHub repository and Anthropic's official engineering guide.
Audit Metadata