robot-personality
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Directory Traversal. The
robot_load_personalitytool inindex.jsusespath.resolveon the user-controllednameparameter without sanitization. This allows an attacker to bypass the intended directory constraint and read arbitrary files from the filesystem by using parent directory references (e.g.,../../etc/passwd). - [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill's core functionality involves loading and parsing markdown-based personality files (.md) which are then used to influence the agent's behavioral identity and safety checks.
- Ingestion points: Personality files are loaded from disk in
index.jsand parsed inlib/personality.js. - Boundary markers: The prompt templates provided in the documentation do not include sufficient delimiters to prevent the agent from interpreting instructions contained within the personality data.
- Capability inventory: Includes tools for influencing behavioral responses (
robot_behavior) and performing safety evaluations (robot_safety_check). - Sanitization: The parser in
lib/personality.jsextracts content using regular expressions without performing validation or sanitization of the values against known instruction patterns.
Audit Metadata