promptify
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute the shell command
echo 'PROMPT' | pbcopyto copy generated text to the system clipboard. This involves executing a shell command with dynamically generated content that could be manipulated if not properly escaped. - [DATA_EXFILTRATION]: The
codebase-researchersub-agent uses tools such asGlob,Grep,LS, andReadto explore the user's filesystem. This provides a significant exposure surface, potentially allowing the agent to read sensitive configuration files or environment secrets if misled by a malicious prompt. - [EXTERNAL_DOWNLOADS]: The
web-researchersub-agent utilizesWebSearchandWebFetchto retrieve content from external websites, introducing untrusted data into the agent's context. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external data.
- Ingestion points: User-provided prompt arguments, local files retrieved by
codebase-researcher.md, and web pages fetched byweb-researcher.md. - Boundary markers: The skill uses XML-style tags like
<task>and<constraints>for structure, but lacks explicit instructions to ignore or sanitize embedded instructions within the processed data. - Capability inventory: The skill can read arbitrary local files, perform web searches, and execute the
pbcopyshell command. - Sanitization: No explicit sanitization or escaping mechanisms are defined for untrusted input before it is incorporated into the optimized prompt or the clipboard command.
- [PROMPT_INJECTION]: The
README.mddocumentation directs users to install a package handle (promptify@tolibear) that does not match the stated author (sundial-org), which may lead users to install an untrusted or unofficial version of the tool.
Audit Metadata