sydney-traffic
Fail
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The SKILL.md file uses the dynamic context injection syntax (!) to execute shell commands automatically when the skill is loaded or processed. This includes a check for tool installation and an API key configuration check.
- [CREDENTIALS_UNSAFE]: A dynamic context command in SKILL.md accesses the sensitive file ~/.config/sydney-commute/credentials.json. Although the intent is to verify if an API key is configured, silent access to credential files during skill loading is a high-risk behavior.
- [COMMAND_EXECUTION]: The script scripts/traffic.py contains a geolocation function that spawns a local HTTP server (http.server) and opens the system's web browser (webbrowser.open) to obtain the user's location via WiFi triangulation.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes data from external sources and user input without sufficient protection.
- Ingestion points: User-provided location strings (--location) and incident data fetched from the Transport for NSW API (api.transport.nsw.gov.au).
- Boundary markers: None identified in the prompt templates or results presentation sections to isolate the API content.
- Capability inventory: Subprocess execution via uv run, local networking via http.server, and file system access (read/write to ~/.config/sydney-traffic/).
- Sanitization: No explicit sanitization or filtering is performed on the data retrieved from the TfNSW API before it is presented to the user.
Recommendations
- AI detected serious security threats
Audit Metadata