AnnualReports
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates a background
curlrequest tohttp://localhost:8888/notifyupon every invocation. This automated behavior triggers network activity to a local endpoint without explicit per-action user confirmation.\n- [PROMPT_INJECTION]: The skill includes instructions to load and apply configurations from~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/AnnualReports/, explicitly stating these files 'override default behavior'. This creates a mechanism for persistent instruction injection via local customization files.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface\n - Ingestion points:
Tools/FetchReport.tsdownloads HTML content from external report URLs.\n - Boundary markers: No delimiters or protective instructions are used when presenting the summarized content to the agent.\n
- Capability inventory: The skill can read and write local files (
Data/sources.json,Reports/) and perform network fetches.\n - Sanitization: Basic HTML tag stripping is performed, which is insufficient to prevent natural language prompt injection attacks embedded in the fetched text.\n- [EXTERNAL_DOWNLOADS]:
Tools/UpdateSources.tsfetches data from a GitHub repository to update report sources.\n- [EXTERNAL_DOWNLOADS]:Tools/FetchReport.tsdownloads content from arbitrary, unverified URLs to extract and summarize report data.
Audit Metadata