refine
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill utilizes the Bash(op read*) permission, which allows the AI agent to interface with the 1Password CLI to retrieve stored secrets and credentials.
- [COMMAND_EXECUTION]: The skill requests extensive bash permissions for system discovery (ls /run/media/, ls ~/Videos/), media processing (ffmpeg, whisper, ffprobe), and network communication (rclone, youtubeuploader, curl).
- [EXTERNAL_DOWNLOADS]: The workflow relies on a set of external bash scripts (e.g., skills/transcribe-meeting/scripts/transcribe.sh) that are not included in the analyzed file. It also uses gdown and curl to download content from external URLs.
- [DATA_EXFILTRATION]: A high risk of exfiltration is present because the agent can access sensitive data (Slack history, 1Password secrets, personal media) and possesses tools (curl, rclone) capable of transmitting this data to remote servers.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) as it processes untrusted data from Slack messages and Obsidian vault notes to generate summaries and modify content.
- Ingestion points: Slack messages retrieved via MCP tools and personal notes read from the Obsidian vault.
- Boundary markers: None identified; the agent processes these inputs directly to influence its output and file modifications.
- Capability inventory: Broad file system access, 1Password credential access, and multiple network-enabled CLI tools.
- Sanitization: There is no evidence of sanitization or filtering for the external content before it is processed by the model.
Recommendations
- AI detected serious security threats
Audit Metadata