process-inbox
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to indirect prompt injection during note triage. 1. Ingestion points: Content of notes within 'my-vault/01 Inbox/' read at runtime. 2. Boundary markers: Absent; there are no instructions to the agent to treat note content as untrusted or to ignore embedded instructions. 3. Capability inventory: 'Write', 'Edit', and 'Bash(mv:*)' tools allow significant modification of the local file system. 4. Sanitization: None; the skill logic lacks validation or filtering of note content before processing.
- COMMAND_EXECUTION (LOW): The skill explicitly permits 'Bash(mv:*)'. While the scope is limited to the move command, this tool can be weaponized if the agent's intent is hijacked via an indirect prompt injection to relocate sensitive files or disrupt vault structure.
Recommendations
- AI detected serious security threats
Audit Metadata