causal-inference
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
subprocess.runfunction in multiple scripts (backfill_email.py,backfill_calendar.py,backfill_messages.py) to execute local CLI commands. These commands are used to interface with external utilities (gog,wacli) to retrieve historical user data for analysis. The usage does not utilizeshell=Trueand handles arguments safely. - [EXTERNAL_DOWNLOADS]: The skill relies on external command-line utilities that are not included in the standard environment, specifically
gogfor Google Workspace interaction andwaclifor WhatsApp/messaging interaction. While the skill does not download these during runtime, its core functionality depends on their presence. - [PROMPT_INJECTION]: The skill processes untrusted external data from emails, calendar events, and messages to build its causal models, creating an indirect prompt injection surface (Category 8).
- Ingestion points: Untrusted data is ingested via
scripts/backfill_email.py(Gmail),scripts/backfill_calendar.py(Calendar), andscripts/backfill_messages.py(WhatsApp/Slack/Discord). - Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands when parsing the contents of messages or emails.
- Capability inventory: The skill possesses shell execution capabilities (via
subprocess.run) and file system write access to update its action logs. - Sanitization: No content sanitization or filtering of the retrieved communications is implemented before the data is recorded in the causal log.
Audit Metadata