meeting-autopilot
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted meeting transcripts and interpolates them into LLM prompts.\n
- Ingestion points: Transcript content is ingested via
scripts/parse-transcript.shfrom user-supplied files or standard input.\n - Boundary markers: The prompt in
scripts/extract-items.shuses a "TRANSCRIPT:" header to delineate input, but lacks strong delimiters or explicit instructions for the model to ignore potential instructions embedded within the transcript text.\n - Capability inventory: The skill utilizes local command execution, file system access for history logging, and network access to communicate with LLM APIs.\n
- Sanitization: Transcript content is processed as raw text without specific sanitization for adversarial instructions before being sent to the LLM.\n- [DATA_EXFILTRATION]: Meeting transcripts are processed by transmitting them to external LLM providers.\n
- Evidence:
scripts/extract-items.shandscripts/generate-outputs.shsend transcript content to official Anthropic or OpenAI API endpoints to extract action items and generate reports.\n- [COMMAND_EXECUTION]: The skill utilizes local bash scripts and inline Python code for data transformation.\n - Evidence: The orchestrator
scripts/meeting-autopilot.shand supporting scripts likescripts/parse-transcript.shexecute shell commands and Python logic.\n - Analysis: The implementation employs safe practices such as using
jqfor argument handling and reading from standard input in Python scripts, which minimizes traditional command injection risks.
Audit Metadata