notes
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The "Vault Discovery" and "Bootstrap" workflows in
references/mapping.mdinstruct the agent to execute shell commands to set up the workspace. This includes usingmkdir -pto create directories,ln -sto create symbolic links, andprintfto write data to configuration files. It also includes instructions to usegit rev-parse --show-topleveland modify.git/info/exclude. - [DATA_EXFILTRATION]: The skill is instructed to read from and write to
~/.config/wrap-up/vaultin the user's home directory. Accessing and modifying configuration files outside the project's local directory constitutes a data exposure risk, as the agent is interacting with the host system's global configuration. - [PROMPT_INJECTION]: The
references/transcription.mdfile defines a workflow that ingests untrusted transcription content and directs the agent to derive "Observations" and "Tags" from it. This establishes an indirect prompt injection surface. - Ingestion points: Untrusted transcription text provided by the user in
references/transcription.md. - Boundary markers: Absent; the content is placed directly into a markdown template without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent has access to
write_note,patch_note, andread_notetools via the MCPVault MCP server, as well as shell command execution capabilities defined in mapping instructions. - Sanitization: Absent; the instructions explicitly state to "preserve exactly as provided" and to generate observations by reading the content.
Audit Metadata