counselors
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Bash script in Phase 4 that automatically sources environment files including
.envfrom the current working directory. If a malicious.envfile exists in the directory where the skill is run, it can execute arbitrary shell commands with the user's privileges. - [EXTERNAL_DOWNLOADS]: The README instructs users to install a global NPM package directly from a specific GitHub fork (
github:skinnyandbald/counselors) rather than a verified package registry or a trusted organization's repository. - [DATA_EXFILTRATION]: The skill automatically gathers project context, including
git diffoutputs and file contents, and transmits them to the OpenRouter API. This poses a risk of exposing sensitive data, credentials, or proprietary code that may be present in the repository's history or local files. - [PROMPT_INJECTION]: The skill processes untrusted data from the local filesystem (files and git diffs) and interpolates it directly into prompts sent to multiple AI agents. This creates a surface for indirect prompt injection, where malicious comments or code could influence the agent's synthesis or recommendation phase.
- Ingestion points: Phase 1 (Files and git diff output).
- Boundary markers: Lacks explicit 'ignore embedded instructions' delimiters for the gathered context.
- Capability inventory: Phase 4 (Subprocess execution of counselors CLI).
- Sanitization: No filtering or sanitization of ingested content before prompt interpolation.
Audit Metadata