Skills
skills/qwibitai/nanoclaw/init-first-agent/Gen Agent Trust Hub

init-first-agent

Warn

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill reads the .env file and local SQLite databases (data/v2.db) to resolve user identities and credentials. While necessary for initialization, this constitutes sensitive file access.
  • [COMMAND_EXECUTION]: The skill executes system commands including systemctl, launchctl, and sqlite3, as well as local scripts via npx tsx.
  • [DYNAMIC_EXECUTION]: Step 4 assembles a shell command using npx tsx and interpolates several user-provided variables (USER_HANDLE, DISPLAY_NAME, AGENT_NAME, CHANNEL) into the command arguments.
  • [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect injection via user-supplied input strings. Evidence Chain: 1. Ingestion point: User input collected in step 2. 2. Boundary markers: Absent in the shell command assembly in step 4. 3. Capability inventory: Execution of local TypeScript files and SQLite queries. 4. Sanitization: Absent; the agent is instructed to use the input strings directly in the command line.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 26, 2026, 09:50 PM