persona-pack
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests benchmark manifests and research artifacts to create persona definitions and visual consistency packs.
- Ingestion points: Research data and benchmark manifests are ingested from external JSON files (e.g., manifest.json, input.json) via readJson calls in scripts/build_persona_pack.mjs and _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs.
- Boundary markers: No explicit boundary markers or instructions to disregard embedded commands within the ingested data were found in the persona generation logic.
- Capability inventory: The skill possesses capabilities for subprocess execution (yt_dlp), network operations through a custom runtime, and file system write access.
- Sanitization: The skill lacks explicit sanitization or filtering of the benchmark data before using it to generate persona locks and image prompt packs.
- [COMMAND_EXECUTION]: The skill executes external system commands to process video content.
- Evidence: The script _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs utilizes the node:child_process module to spawn python3 -m yt_dlp for downloading videos from URLs specified in the manifest.
- [DATA_EXFILTRATION]: The skill is designed to access sensitive local configuration files to manage session authentication with the vendor's API.
- Evidence: _postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cli_config.mjs reads authentication tokens (cliSessionToken) from the user's local PostPlus configuration directory (e.g., ~/.config/postplus/config.json). These tokens are used to authorize requests to the vendor's hosted capability bridge.
Audit Metadata