AnnualReports

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates a background curl request to http://localhost:8888/notify upon every invocation. This automated behavior triggers network activity to a local endpoint without explicit per-action user confirmation.\n- [PROMPT_INJECTION]: The skill includes instructions to load and apply configurations from ~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/AnnualReports/, explicitly stating these files 'override default behavior'. This creates a mechanism for persistent instruction injection via local customization files.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface\n
  • Ingestion points: Tools/FetchReport.ts downloads HTML content from external report URLs.\n
  • Boundary markers: No delimiters or protective instructions are used when presenting the summarized content to the agent.\n
  • Capability inventory: The skill can read and write local files (Data/sources.json, Reports/) and perform network fetches.\n
  • Sanitization: Basic HTML tag stripping is performed, which is insufficient to prevent natural language prompt injection attacks embedded in the fetched text.\n- [EXTERNAL_DOWNLOADS]: Tools/UpdateSources.ts fetches data from a GitHub repository to update report sources.\n- [EXTERNAL_DOWNLOADS]: Tools/FetchReport.ts downloads content from arbitrary, unverified URLs to extract and summarize report data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — AnnualReports