Skills
skills/steffen025/pai-opencode/Telos/Gen Agent Trust Hub

Telos

Warn

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Dashboard template provided with the skill contains Path Traversal vulnerabilities in DashboardTemplate/App/api/file/save/route.ts and DashboardTemplate/App/api/upload/route.ts. The filename and file.name inputs are used directly in path.join() with a base directory without any sanitization or validation, which allows an attacker to write or overwrite arbitrary files on the host system (e.g., .bashrc, .ssh/authorized_keys) if the dashboard is deployed.
  • [DATA_EXFILTRATION]: The 'Ask AI' functionality in DashboardTemplate/App/api/chat/route.ts aggregates the entire contents of the user's Personal TELOS directory—which is designed to contain highly sensitive personal data like life goals, core beliefs, and past traumas—and transmits it to the Anthropic API. While this is a documented feature, it represents a significant risk of exposing personal information to an external LLM provider.
  • [CREDENTIALS_UNSAFE]: The skill and its dashboard template rely on an ANTHROPIC_API_KEY environment variable. The project documentation suggests that a working API key for testing may be included in the template's .env file, which is a poor security practice for distributing skills.
  • [COMMAND_EXECUTION]: The skill uses curl to interact with a local voice notification service and relies on the Bun runtime for managing project dependencies and running the dashboard, involving numerous shell executions and file system modifications.
  • [PROMPT_INJECTION]: The InterviewExtraction workflow is vulnerable to Indirect Prompt Injection (Category 8) as it processes untrusted interview notes and meeting transcripts to extract structured data.
  • Ingestion points: Workflows/InterviewExtraction.md recursively scans target directories for .md and .txt files.
  • Boundary markers: No explicit boundary markers or 'ignore' instructions are used to delimit external content during processing.
  • Capability inventory: The workflow creates files on disk; the associated dashboard can write to the filesystem and perform network requests.
  • Sanitization: There is no evidence of sanitization or validation performed on the ingested interview content before it is processed by the AI.
  • [EXTERNAL_DOWNLOADS]: The dashboard and report templates require the execution of bun install, which downloads and executes numerous dependencies from the npm registry.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 5, 2026, 07:38 AM