boss-skills
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to process highly sensitive data, including email archives (.eml, .mbox) and chat transcripts from WeChat, Feishu, and other platforms. While the analysis is performed locally and no network exfiltration patterns were found, users should be aware that the agent requires access to these private communications to function.
- [PROMPT_INJECTION]: The 'Real Boss' workflow involves analyzing untrusted external content (emails, chats). This creates a surface for indirect prompt injection, where malicious instructions embedded in a chat log could attempt to influence the agent's behavior during the distillation process.
- Ingestion points: Tools such as
email_parser.pyandfeishu_parser.pyread external files into the agent's context. - Boundary markers: The prompts in
prompts/judgment_analyzer.mdandprompts/management_analyzer.mdlack explicit instructions to ignore embedded commands within the source material. - Capability inventory: The skill has
Write,Edit, andBashpermissions to manage the./bossesdirectory. - Sanitization: No specific sanitization or escaping of the extracted text is performed before it is passed to the analyzer prompts.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute internal Python scripts (skill_writer.py,version_manager.py, and various parsers). These scripts perform file system operations such as creating directories, writing markdown files, and managing version backups within the skill's workspace.
Audit Metadata