portal-router
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It is designed to ingest and display content from external skill ecosystems (Claude, Gemini, OpenCode, etc.) without sanitization.
- Ingestion points: Data enters the agent's context from multiple local directories including
~/_arms/mirror/and~/_arms/skills/, which aggregate content from various third-party sources. - Boundary markers: The
cmd_showfunction inreferences/resolve.pyuses simple markdown headers and a line of dashes as delimiters when displaying skill content, which provides minimal protection against instruction overriding. - Capability inventory: The script has the capability to read and display the full text of any file found in the indexed paths that ends with a
.mdextension. - Sanitization: There is no evidence of content validation, escaping, or filtering of the external skill files before they are presented to the agent.
- [DATA_EXFILTRATION]: The file resolution engine in
references/resolve.pyemploysos.walk(followlinks=True), which poses a potential data exposure risk. - Evidence: The script explicitly follows symlinks when scanning directories for capabilities. If an external ecosystem mirrored in
~/_arms/mirror/contains a malicious symlink pointing to a sensitive file (e.g., a credential file renamed or symlinked with a.mdextension), thearm showcommand would allow the agent to read and expose that file's contents.
Audit Metadata