heartbeat
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill schedules and executes several local maintenance scripts using node and pnpm. Examples include .claude/tools/cli/reflection-check.cjs, evolution-check.cjs, and telegram-poll.cjs. It also runs indexing commands via pnpm code:index:reindex. These are intended for environment maintenance.
- [EXTERNAL_DOWNLOADS]: The skill communicates with external APIs, specifically the Telegram Bot API for message polling and ArXiv/Exa for research digests. These interactions involve well-known technology services.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. 1. Ingestion points: Data is pulled from the Telegram Bot API (Loop 6), ArXiv/Exa APIs (Loop 7), and local project files such as issues.md and learnings.md (Loop 3). 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the scheduled task prompts. 3. Capability inventory: The subagents spawned by these tasks have access to Bash, CronCreate, TaskCreate, and Read tools. 4. Sanitization: There is no evidence of sanitization or filtering of the incoming external data before it is processed by the subagents.
Audit Metadata