self-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The commands
alma update downloadandalma update installallow the agent to fetch and execute code from an unspecified remote source, enabling arbitrary software updates on the host system without verification. - [EXTERNAL_DOWNLOADS] (HIGH): The skill implements an update mechanism that retrieves remote assets from untrusted sources without integrity checks or source validation.
- [CREDENTIALS_UNSAFE] (HIGH): The skill manages sensitive configuration values, including
tts.apiKey. Thealma config listandalma config getcommands allow these credentials to be printed into the agent's context, where they can be observed or exfiltrated. - [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because
SOUL.mdis persistently injected into the system prompt. Ingestion points include thealma soul setcommand and directBashwrites to~/.config/alma/SOUL.md. There are no boundary markers or sanitization procedures, and the agent has high-privilegeBashand CLI capabilities, allowing malicious instructions to be stored in the agent's permanent identity. - [COMMAND_EXECUTION] (MEDIUM): The skill uses the
Bashtool to perform arbitrary file manipulations and execute local CLI commands, providing a broad capability for system interaction.
Recommendations
- AI detected serious security threats
Audit Metadata