secretary
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the
Bashtool to execute local management scripts such asmemory-manager.shandprocess-queue.shlocated in the user's home directory. - [CREDENTIALS_UNSAFE]: This skill is specifically designed to store and manage sensitive information, including API keys, passwords, and secrets. It provides explicit commands to "show" these credentials from an "Encrypted Memory" database, creating a significant exposure surface if the agent is manipulated.
- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection by processing untrusted user conversation to automate database writes and script executions.
- Ingestion points: Conversation text is parsed for commitments, decisions, and ideas (e.g., patterns like "I will..." or "Decided to...") in
SKILL.md. - Boundary markers: No explicit delimiters or instructions are provided to distinguish between actual user intent and potentially malicious instructions embedded in the processed text.
- Capability inventory: The skill leverages high-privilege tools (
Bash,Write,Edit) and SQL operations to modify system state based on extracted data. - Sanitization: There is no evidence of sanitization or escaping for the data extracted from conversations before it is passed to database queries or shell script arguments.
Audit Metadata