Skills
skills/vamseeachanta/workspace-hub/time-tracking/Gen Agent Trust Hub

time-tracking

Fail

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): Automated scans detected a dangerous pattern where content from 'https://www.rescuetime.com/anapi/focustime' is used in a subprocess execution. This allows a remote attacker controlling the API response to execute arbitrary commands on the host machine.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill downloads data from untrusted external sources (Toggl and RescueTime APIs) without performing integrity or safety checks. While these are legitimate services, the execution of downloaded content constitutes a significant risk.
  • [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from external APIs that could contain malicious instructions.
  • Ingestion points: API JSON responses retrieved from Toggl and RescueTime.
  • Boundary markers: None identified; the skill does not use delimiters to isolate external data from instructions.
  • Capability inventory: Network access via 'requests' and 'curl' for GET, POST, and PATCH operations.
  • Sanitization: No sanitization or validation of external input is implemented in the provided code snippets.
Recommendations
  • HIGH: Downloads and executes remote code from: https://www.rescuetime.com/anapi/focustime - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 20, 2026, 03:51 PM