world2agent-protocol
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs users to execute
claude --dangerously-load-development-channels, which is specifically designed to bypass standard safety and verification protocols for loading plugins. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of numerous external dependencies from npm and third-party plugins from GitHub repositories (e.g.,
machinepulse-ai/world2agent-plugins). These sources are not part of the established trusted vendor set. - [PROMPT_INJECTION]: Surface for Indirect Prompt Injection detected.
- Ingestion points: Data is ingested from various external sensors including
@world2agent/sensor-hackernews,@quill-io/sensor-frontier-ai-news, and@world2agent/sensor-redditvia theW2AClient(SKILL.md). - Boundary markers: None detected in the logic examples; signals are processed directly into the agent's logic flow without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill installs plugins for Claude Code, Hermes, and OpenClaw which can execute logic on the host system. The SDK usage examples show signals being passed to arbitrary handlers like
handleUrgentSignalandrouteToNewsHandler(SKILL.md). - Sanitization: No evidence of sanitization or filtering for malicious instructions within the signal payloads before they are processed by the agent.
Audit Metadata