Daemon
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill aggregates private user information from multiple local directories (e.g., ~/.claude/PAI/USER/TELOS/, PRINCIPAL_IDENTITY.md) and transmits it to a public GitHub repository and a remote API endpoint (mcp.daemon.example.com).
- [EXTERNAL_DOWNLOADS]: The UpdateDaemon and DeployDaemon workflows execute 'bun install' within the skill's Mcp directory, which downloads and installs external Node.js packages from a remote registry at runtime.
- [COMMAND_EXECUTION]: Utilizes various shell commands including 'git push', 'curl', and 'bun' to manage data synchronization, deployment, and local notifications to a voice server on localhost.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8). Ingestion points: The skill aggregates content from numerous markdown files in the user's PAI system (e.g., MISSION.md, GOALS.md, Ideas/*.md). Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore embedded instructions within the ingested source data. Capability inventory: The skill can execute shell commands, perform git operations, and make network requests via curl. Sanitization: While SecurityFilter.ts performs PII redaction, it does not sanitize data against malicious instructions that could influence agent behavior during the update workflow.
Audit Metadata