Skills
skills/twwch/openskills/meeting-summary/Gen Agent Trust Hub

meeting-summary

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The dependency.system field in SKILL.md executes a shell command (mkdir -p /tmp/openskills-uploads) during environment setup. Allowing arbitrary shell commands in metadata is a dangerous pattern that can be exploited for RCE if the skill source is untrusted.
  • [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted meeting data and has write capabilities.
  • Ingestion points: Meeting records provided by the user in the main prompt flow.
  • Boundary markers: Absent. The prompt instructions do not use delimiters or instructions to ignore embedded commands within the meeting notes.
  • Capability inventory: File system write access via the scripts/upload.py script.
  • Sanitization: None. The agent does not sanitize the input before passing it to the upload script, allowing an attacker to manipulate the file-writing process.
  • [COMMAND_EXECUTION] (HIGH): Path Traversal vulnerability in scripts/upload.py. The script accepts a filename directly from its input JSON and concatenates it to a base path using output_dir / filename. Without sanitization, an attacker could provide a path like ../../home/user/.ssh/authorized_keys to overwrite sensitive files or achieve persistence.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:34 PM