Skills
skills/zpankz/mcp-skillset/context-orchestrator/Gen Agent Trust Hub

context-orchestrator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill templates user input directly into shell commands across several files.
  • Evidence: commands/context.md uses limitless workflow search "{query}". agents/limitless-agent.md uses lifelogs search "{query}". agents/research-agent.md uses research docs -t "{query}".
  • Risk: Despite a mention of 'FIXED' in the included docs/SECURITY-REVIEW.md, the YAML definitions still show direct string interpolation. A malicious user could provide a query like ; rm -rf / ; to execute arbitrary system commands.
  • [PROMPT_INJECTION] (HIGH): High surface area for Indirect Prompt Injection (Category 8).
  • Ingestion Points: research-agent.md (online documentation, academic papers, Perplexity/Exa results), limitless-agent.md (personal chat transcripts/recordings), and pieces-agent.md (local code history).
  • Boundary Markers: Absent. Ingested data is merged into the agent's context without delimiters or instructions to ignore embedded commands.
  • Capability Inventory: The agent can execute system commands via the three CLI tools and read/write to the cache directory (~/.claude/.context-cache/).
  • Sanitization: None detected for content returned from external sources. Malicious content in a searched webpage or a poisoned transcript could redirect the agent's behavior.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on external binaries from non-standard or user-controlled paths.
  • Evidence: skill.yaml references ~/.local/bin/research, /opt/homebrew/bin/pieces, and a bun alias pointing to ~/Projects/limitless-cli/bin/limitless.ts.
  • Risk: These dependencies are unverifiable and their integrity is not checked by the skill during runtime execution.
  • [DATA_EXFILTRATION] (MEDIUM): The skill handles highly sensitive personal data including transcripts of conversations and local code history.
  • Risk: docs/SECURITY-REVIEW.md (Finding 4) explicitly notes that the history log stores full extraction results without encryption or redaction, posing a significant data exposure risk if the machine or the agent context is compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 04:55 AM