track17
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill is hosted and installed from an untrusted GitHub repository (
tristanmanchester/agent-skills). Per the [TRUST-SCOPE-RULE], this source is not within the defined trusted organizations. - [COMMAND_EXECUTION] (LOW): The skill frequently executes a local Python script (
scripts/track17.py) to manage tracking data. While this is the intended functionality, it relies on the integrity of the unprovided script file. - [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface (Category 8).
- Ingestion points: Untrusted data enters the agent's context through 17TRACK API responses (polling) and webhook payloads ingested via
ingest-webhookor thewebhook-servermode. - Boundary markers: There are no delimited boundaries or specific instructions for the agent to ignore embedded commands within the tracking data (e.g., in labels, statuses, or carrier messages).
- Capability inventory: The agent has the capability to execute subprocesses (
python3) and modify the local filesystem (SQLite DB and webhook inbox). - Sanitization: The provided documentation does not mention sanitization or validation of the external content before it is summarized for the user. An attacker who can influence tracking information (e.g., via a malicious tracking update or carrier message) could potentially inject instructions into the agent's summary and decision-making loop.
- [CREDENTIALS_UNSAFE] (LOW): The skill requires a
TRACK17_TOKEN. While no secrets are hardcoded in the provided files, the instructions remind the agent not to echo these tokens, confirming their sensitive nature.
Recommendations
- AI detected serious security threats
Audit Metadata