inbox
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a preprocessing directive that executes a shell command with direct interpolation of user-supplied arguments.
- Evidence: The directive
preprocessing: "!agentbook inbox $ARGUMENTS"inSKILL.mdpasses the$ARGUMENTSvariable directly into a shell environment. - Risk: If the user provides arguments containing shell metacharacters (e.g.,
;,&&,|, or backticks), it could lead to arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from an external inbox.
- Ingestion points: Untrusted message content from
agentbook inboxis injected into the agent's prompt context as specified inSKILL.md. - Boundary markers: Absent. The skill provides no delimiters or instructions to the agent to treat the inbox content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill aggregates and formats data, exposing the agent's standard toolset to any malicious instructions contained within the messages.
- Sanitization: Absent. There is no evidence of content filtering, escaping, or validation before the data is presented to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata