self-management
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to execute
almaCLI commands and directly manipulate configuration files in the~/.config/alma/directory. This provides a broad surface for modifying system behavior and accessing internal data.- [CREDENTIALS_UNSAFE]: The skill is explicitly designed to handle and update sensitive credentials, such as thetts.apiKey. The instruction to runalma config listto view current settings can lead to the accidental exposure of these secrets in the agent's output context.- [REMOTE_CODE_EXECUTION]: Thealma update installfunctionality allows the agent to download and execute external code to perform self-updates. This is a high-risk capability that could be exploited if the update server or the update package itself is compromised.- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data. \n - Ingestion points: Files like
USER.mdand group-specific rules (~/.config/alma/groups/*.rules.md) are read and injected into the system prompt. \n - Boundary markers: There are no documented boundary markers or instructions to treat these injected files as untrusted content. \n
- Capability inventory: The skill has Bash access and the ability to send messages across multiple platforms (Discord, Telegram, Feishu). \n
- Sanitization: There is no evidence of sanitization or validation of the content within the rules or profile files before they are interpolated into the prompt.
Audit Metadata