Skills
skills/simhacker/moollm/emacs/Gen Agent Trust Hub

emacs

Fail

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's documentation in SKILL.md and CARD.yml explicitly defines 'RAW_ELISP' and 'EVAL' methods as an escape hatch to run arbitrary Emacs Lisp (Elisp). This allows for unrestricted code execution within the Emacs daemon environment, which can be leveraged to execute system-level commands.
  • [COMMAND_EXECUTION]: The scripts/emacs.py script serves as a router for emacsclient, allowing for the execution of arbitrary Elisp expressions through the --eval flag. This interface enables an agent to run any command within the Emacs process context, including those that interact with the host operating system via shell commands. Additionally, the templates/moo-oneshot.el file implements a moo-define-oneshot function that appends Elisp code to a log file loaded at startup, enabling a mechanism to persist code that will execute upon every Emacs initialization.
  • [DATA_EXFILTRATION]: The file reference/cursor-aiService-prompts.yaml contains a snapshot of workspace database keys, exposing prompt history, generation records, and internal development URLs (e.g., bac.leela.ai) related to the author's infrastructure. While these are vendor-related, the exposure of such metadata can reveal sensitive information about internal workflows and environment configuration.
  • [PROMPT_INJECTION]: The skill exposes a vulnerability surface for indirect injection as it ingests untrusted data into the agent's context.
  • Ingestion points: Untrusted data enters the agent context through file buffers managed by Emacs and through the speak and url command handlers in scripts/emacs.py.
  • Boundary markers: The skill lacks explicit boundary markers or instructions to ignore embedded commands within processed buffer data or spoken input.
  • Capability inventory: The skill provides high-privilege capabilities including arbitrary Elisp execution (run_eval in scripts/emacs.py) and file system persistence (moo-define-oneshot in templates/moo-oneshot.el).
  • Sanitization: There is no sanitization or validation of the Elisp expressions or buffer content before processing, allowing instructions embedded in data to potentially trigger executable actions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 1, 2026, 09:34 PM