CORE
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION (HIGH): The skill explicitly maps sensitive file paths in the 'Critical Paths' section. Specifically, it targets
~/.claude/settings.json(which often contains API keys or configuration) and~/.claude/MEMORY/(containing potentially sensitive session history). Identifying these paths facilitates the exposure of sensitive user data. - COMMAND_EXECUTION (LOW): The 'Voice Integration' section provides a functional template for using
curlto send data to a local server. While targetinglocalhost, this establishes a pattern for the agent to use subprocesses to transmit internal data to external processes. - PROMPT_INJECTION (LOW): The 'Response Format' and 'First-Person Voice' sections contain strict formatting requirements (e.g., 'CRITICAL', 'IMPORTANT'). While these are functional instructions, they can be used as a surface for formatting-based jailbreaks or to override default agent persona constraints.
- Indirect Prompt Injection (LOW):
- Ingestion points: The skill is designed to ingest data from untrusted or external files like
Contacts.mdandMEMORY/as shown in the examples. - Boundary markers: Absent. The skill provides no instructions for the agent to treat data read from these files as untrusted or to use delimiters.
- Capability inventory: File system read access and the ability to execute network requests via
curl. - Sanitization: Absent. There is no logic provided to sanitize or validate the content of the files before processing or displaying them.
Recommendations
- AI detected serious security threats
Audit Metadata