Skills
skills/ttmouse/skills/daily-ai-workflow-analyzer/Gen Agent Trust Hub

daily-ai-workflow-analyzer

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • Dynamic Execution / RCE (CRITICAL): The scripts/analysis_server.py script starts a Flask server with debug=True and host='0.0.0.0'. This enables the Flask debugger, which is accessible from any machine on the network and allows for arbitrary Python code execution on the host machine. This is a critical remote code execution vector.
  • Data Exposure & Exfiltration (HIGH): The skill accesses highly sensitive personal data from ~/Library/Application Support/Typeless/typeless.db (voice transcriptions). This data is processed and sent to external AI services (via the anthropic library) for analysis. While the destination is likely legitimate, the ingestion of sensitive personal conversations into a processing pipeline is a high risk.
  • Indirect Prompt Injection (HIGH): The skill's primary function is to process untrusted voice transcription data (Cat 8). It lacks sanitization or boundary markers when passing this data to AI models for "deep analysis." This creates a vulnerability surface where a malicious transcript could manipulate the agent's logic or downstream actions (e.g., file writes or command execution).
  • Ingestion points: extract_voice_records.py and scripts/group_by_app.py read from typeless.db and JSON inputs.
  • Boundary markers: Absent in analysis templates.
  • Capability inventory: High-privilege subprocess calls and file system writes in analyze_voice_workflow.py and export_to_obsidian.py.
  • Sanitization: None detected.
  • Unverifiable Dependencies (MEDIUM): The scripts/start_dashboard.sh script automatically installs Python packages flask and flask-cors using pip3 with the --break-system-packages flag. This automated installation of dependencies at runtime without user confirmation or version pinning is a security risk.
  • Command Execution (MEDIUM): Multiple scripts utilize subprocess.run to execute internal scripts and system commands. While arguments are passed as lists (reducing traditional shell injection risk), the combination with an insecurely exposed network server significantly increases the risk of argument injection attacks.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 01:11 PM