aicoo
Pass
Audited by Gen Agent Trust Hub on Jun 4, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill facilitates the synchronization of local workspace data (including markdown files and git logs) to the vendor's centralized platform (aicoo.io). This behavior, implemented in 'scripts/aicoo-sync.sh' and modular sub-skills like 'context-sync', is the primary intended function of the agent and is documented in the README.
- [COMMAND_EXECUTION]: The package includes several shell scripts (e.g., 'scripts/aicoo-sync.sh', 'scripts/daily-brief-cron.sh', 'scripts/inbox-monitor-cron.sh') and provides configuration for agent hooks and cron jobs to automate background tasks such as synchronization, daily briefings, and inbox monitoring.
- [EXTERNAL_DOWNLOADS]: Installation instructions in the documentation reference fetching the skill package via 'git clone' from the vendor's repository and the use of 'npx' to add the skill to the agent runtime.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection by ingesting untrusted, user-generated content from Aicoo Square (e.g., in 'skills/discover/SKILL.md' and 'skills/square/SKILL.md').
- Ingestion points: 'skills/discover/SKILL.md', 'skills/square/SKILL.md' (processing API results from aicoo.io/api/square).
- Boundary markers: Absent; there are no instructions to the agent to ignore or delimit embedded instructions in Square posts.
- Capability inventory: Subprocess execution via local '.sh' scripts, file system write access via OS/notes APIs, and network operations via 'curl' (observed across multiple scripts and sub-skills).
- Sanitization: Absent; the instructions do not specify any validation or filtering of content retrieved from the social discovery board.
Audit Metadata