contacts
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands such as
mkdir -p,echo, andgitto manage the contact registry file. The use of user-supplied variables like contact names in command strings (e.g.,git commit -m "contacts: add <name>") creates a risk of command injection if the input contains shell metacharacters. - [DATA_EXFILTRATION]: The skill stores and displays absolute local filesystem paths for 'inbox' transports (e.g.,
/home/peter/Code/peter-oracle/ψ/inbox). This exposes the directory structure of the host machine to the agent's context and potentially to other users if the registry is shared via Git. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes and displays data from an external file (
ψ/contacts.json). - Ingestion points: Data is read from
ψ/contacts.jsonand.oracle/contacts.jsonat runtime. - Boundary markers: No delimiters or warnings are used to separate contact details (like notes or names) from instructions when displaying them to the agent.
- Capability inventory: The skill possesses the ability to execute shell commands (
git,mkdir,echo) and perform filesystem writes. - Sanitization: No validation or sanitization of the JSON content is performed before processing or displaying the data.
Audit Metadata