send-user-message
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads user pairing data from a local file located at
~/.tinyclaw/pairing.jsonto identify message recipients. This is a standard operation within the intended framework. - [DATA_EXFILTRATION]: The script
send_message.tsallows the agent to specify absolute file paths via the--filesargument, which are then passed to a local API server. While this allows referencing any file on the system, the script itself does not read the file contents, and the destination is restricted tolocalhost. - [COMMAND_EXECUTION]: The skill uses
npx ts-nodewithinsend-message.shto execute its TypeScript-based logic, which is a common pattern for executing scripts in this environment. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it accepts unvalidated message content and file paths as input from the agent. Ingestion points: The
messageandfilesarguments processed inscripts/send_message.ts. Boundary markers: None are present to distinguish between agent instructions and user-provided data. Capability inventory: The skill can send network requests to a local API and reference any file path on disk. Sanitization: No sanitization or path validation is performed on the provided inputs.
Audit Metadata