portal-router

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It is designed to ingest and display content from external skill ecosystems (Claude, Gemini, OpenCode, etc.) without sanitization.
  • Ingestion points: Data enters the agent's context from multiple local directories including ~/_arms/mirror/ and ~/_arms/skills/, which aggregate content from various third-party sources.
  • Boundary markers: The cmd_show function in references/resolve.py uses simple markdown headers and a line of dashes as delimiters when displaying skill content, which provides minimal protection against instruction overriding.
  • Capability inventory: The script has the capability to read and display the full text of any file found in the indexed paths that ends with a .md extension.
  • Sanitization: There is no evidence of content validation, escaping, or filtering of the external skill files before they are presented to the agent.
  • [DATA_EXFILTRATION]: The file resolution engine in references/resolve.py employs os.walk(followlinks=True), which poses a potential data exposure risk.
  • Evidence: The script explicitly follows symlinks when scanning directories for capabilities. If an external ecosystem mirrored in ~/_arms/mirror/ contains a malicious symlink pointing to a sensitive file (e.g., a credential file renamed or symlinked with a .md extension), the arm show command would allow the agent to read and expose that file's contents.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 12:02 PM
Security Audit — agent-trust-hub — portal-router