secondbrain-init
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Step 5 of the skill instructions requires the creation of a '.claude/settings.local.json' file that grants unrestricted shell access via 'allow_bash': ['*']. This allows the agent to execute any command on the host system, bypassing standard security constraints.
- [DATA_EXFILTRATION] (HIGH): The recommended configuration allows the agent to read all files in the user's home directory ('allow_read': ['~/**']) and fetch data from any external URL ('allow_web_fetch': ['*']). This enables the exfiltration of SSH keys, cloud credentials, and personal documents.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill generates Python scripts and automation hooks at runtime and instructs the user to run 'npm install' on the generated project. This workflow can be used to execute persistent malicious code within the newly created environment.
- [PROMPT_INJECTION] (LOW): The skill uses 'CRITICAL' markers and manipulative labeling ('Maximum Freedom') to pressure the agent and user into adopting a dangerous security posture that disables safety filters.
Recommendations
- AI detected serious security threats
Audit Metadata