BeCreative
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains mandatory instructions to execute
curlcommands on every invocation. These commands send POST requests to a local notification server athttp://localhost:8888/notify. While the target islocalhost, the use of shell execution for notifications is a significant capability. - [COMMAND_EXECUTION]: The
Workflows/TechnicalCreativityGemini3.mdfile specifies the use of thellmCLI tool to perform complex technical analysis. This involves executing shell commands likellm -m gemini-3-pro-previewwith multi-line prompt strings. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its customization feature. It is instructed to load and apply instructions from
PREFERENCES.mdand other resources found in~/.opencode/skills/PAI/USER/SKILLCUSTOMIZATIONS/BeCreative/to override default behavior. - Ingestion points: Local filesystem access in
SKILL.mdto load user-defined customization files. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present when the agent is told to 'apply' these resources.
- Capability inventory: The skill has access to shell execution (
curl,llm) and network access (to localhost). - Sanitization: There is no sanitization or validation of the external configuration content before it is used to override agent instructions.
- [DATA_EXFILTRATION]: The skill performs local filesystem discovery by checking for and reading files in the user's home directory (
~/.opencode/...) to find potential overrides and resources. While used for customization, this pattern involves reading data from outside the skill's own package scope.
Audit Metadata