meeting-brief
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/check_calendar.shcontains a critical command injection vulnerability. It uses a shell heredoc (PYTHON_EOF2) to generate a Python script while interpolating the$AGENDAvariable, which contains raw, unvalidated meeting titles and descriptions from Google Calendar. If a meeting entry contains triple-quotes (\"\"\"), an attacker can escape the Python string literal and execute arbitrary code on the host machine.\n- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It automatically researches external meeting attendees via LinkedIn and GitHub and feeds that unvalidated content directly into an AI prompt for brief generation inscripts/generate_brief.js.\n - Ingestion points: Web search results (LinkedIn bios, company info) and GitHub profile data collected in
scripts/research_person.js.\n - Boundary markers: Data is passed as a raw JSON string within the prompt, lacking clear delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The skill can send emails via Gmail and interact with Slack webhooks, providing a direct channel for exfiltration or further compromise if the agent is manipulated.\n
- Sanitization: There is no evidence of sanitization or filtering of the researched content before processing.\n- [DATA_EXFILTRATION]: The skill's core functionality involves reading sensitive calendar data and transmitting research summaries to external endpoints (Slack and Gmail). While intended, this mechanism poses a high risk if the
config.jsonis misconfigured or if the agent is tricked via prompt injection to send sensitive data to an attacker-controlled webhook.
Recommendations
- AI detected serious security threats
Audit Metadata