bootstrap
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill implements methods like
DEEP-PROBEandCURSOR-PROBEthat utilize therun_terminal_cmdtool to collect system and IDE diagnostics. Additionally, the configuration templates for sub-skills (e.g., Home Assistant) include shell snippets for setup tasks, such as fetching credentials via the 1Password CLI (op) and testing network connectivity withcurl. - PROMPT_INJECTION (LOW): The skill generates dynamic agent instructions (
.mdcrules) from templates using a process described as "empathic templating." This creates an indirect prompt injection surface: - Ingestion points: Untrusted data enters the context via
.moollm/hot.yml,.moollm/startup.yml, and variousCARD.ymlfiles. - Boundary markers: Absent; templates do not use explicit delimiters or "ignore" instructions to isolate variable content from the resulting rules.
- Capability inventory: The skill is granted
run_terminal_cmdandwrite_filecapabilities, which are used to compile and apply these rules. - Sanitization: No explicit sanitization or validation of template variables (e.g.,
{{probe_results}}) is performed before they are interpolated into system-level instructions. - DATA_EXFILTRATION (SAFE): While the skill manages sensitive API tokens and configurations, it mandates storing them in the gitignored
.moollm/local directory. It also utilizes a "trekify" protocol to mask personal identifiers and absolute paths in shared logs and example files, demonstrating a privacy-centric design for handling sensitive environmental data.
Audit Metadata