active-interleave
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8). The skill's primary function is to read from untrusted data sources (
messagestable in~/worldnet/cognition.duckdb) and interleave that content into the current agent context. There are no mentions of boundary markers, delimiters, or sanitization logic to prevent the agent from obeying instructions embedded within that historical data. - [COMMAND_EXECUTION] (HIGH): The documentation demonstrates the use of
babashka.process/shellto execute local scripts (active.bb). Granting an agent the ability to execute shell commands while it is processing potentially malicious context from a database is a dangerous pattern that could lead to local system compromise if the interleaved content triggers unintended code paths.
Recommendations
- AI detected serious security threats
Audit Metadata