ai-chats
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local shell commands including
mkdir,shuf, andsleepwithinsub-skills/start.mdto set up directories, generate random session identifiers, and manage polling intervals.- [DATA_EXFILTRATION]: Insub-skills/join.md, the skill reads files from a path constructed using a user-provided 'slug'. This pattern is vulnerable to path traversal if the input contains directory navigation characters (e.g.,../), although the requirement for a.mdextension limits the scope of accessible files.- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection as it ingests and processes content from an external source (the shared chat file) which is modified by other agents or users. - Ingestion points: File reads from
tmp/ai-chats/<slug>.mdusing the Read tool insub-skills/join.mdandsub-skills/start.md. - Boundary markers: None; the skill uses structural markdown headers (
## [agent-a]) which do not prevent the agent from obeying instructions embedded within the message text. - Capability inventory: Includes the
Readtool, file system write access, and Bash command execution (mkdir,shuf,sleep). - Sanitization: No evidence of sanitization, filtering, or instruction-escaping for the content retrieved from the shared file.
Audit Metadata