WriteStory
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains mandatory instructions to execute a shell command (
curl -s -X POST http://localhost:8888/notify...) immediately upon invocation. This automated background process is used for 'Voice Notifications' but represents arbitrary command execution. - [COMMAND_EXECUTION]: The skill performs filesystem operations within the user's home directory (
~/.opencode/skills/and~/.opencode/plans/). It reads configuration files and writes story plans (Story Bibles) to these paths, which grants the skill persistent access to user data areas. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core workflow design.
- Ingestion points: The
Interview.mdworkflow specifically 'Consumes Available Input' from the user, including notes, outlines, and character descriptions. - Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the processed story data.
- Capability inventory: The skill has the ability to execute shell commands (
curl), write to the filesystem, and spawn additional agents with dynamically generated prompts in theExploreandWriteChapterworkflows. - Sanitization: The skill does not perform any validation or sanitization of user-provided content before using it to structure the narrative architecture or influence subsequent agent tasks.
Audit Metadata