local-knowledge
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs the agent to locate and execute the
terraphim-agentbinary using several techniques, including searching specific file paths and environment command checks. It provides a full REPL command set (/search,/role,/graph) which allows the agent to interact with the local system in ways that could be abused if the binary itself or the arguments passed to it are manipulated. - PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from local notes and external haystacks (GrepApp, QueryRs) and interpolates the 'body' and 'description' fields directly into the agent's context.
- Ingestion points: Search results returned by
terraphim-agentfrom local directories and external APIs. - Boundary markers: Absent. The skill provides no delimiters or instructions to the agent to ignore instructions embedded within the search results.
- Capability inventory: The agent can execute shell commands via the REPL and read arbitrary local files mapped in the configuration.
- Sanitization: Absent. There is no evidence of filtering or escaping logic for the retrieved content.
- DATA_EXFILTRATION (MEDIUM): The skill provides mechanisms to search and retrieve the contents of local files (personal notes, documentation). An attacker who can influence the search query or the mapped haystacks could use the agent to expose sensitive data from the local filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata