daily-brief
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill is designed to read sensitive login information from a local file (
references/credentials.md) to access Twitter, which exposes credentials if the file is compromised.\n- [COMMAND_EXECUTION]: The workflow generates a shell command for sending emails that directly includes summaries of untrusted external content (emails, social media posts). This lack of sanitization allows for command injection if the summarized content contains malicious shell characters.\n- [DATA_EXFILTRATION]: The skill accesses and aggregates highly sensitive personal data—including unread emails, calendar events, and job application details—and transmits this information to an external email address.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes content from untrusted third-party sources (Gmail and X.com).\n - Ingestion points: Content is retrieved via
read_emails.py, Playwright scraping of Twitter bookmarks, and WebSearch queries.\n - Boundary markers: There are no delimiters or instructions provided to the agent to prevent it from following commands embedded within the external data.\n
- Capability inventory: The skill can execute local Python scripts, read files on the system, and perform network requests.\n
- Sanitization: The skill does not validate or sanitize the ingested text before incorporating it into its final output or shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata