skills/danielmiessler/lifeos/Daemon/Gen Agent Trust Hub

Daemon

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill aggregates private user information from multiple local directories (e.g., ~/.claude/PAI/USER/TELOS/, PRINCIPAL_IDENTITY.md) and transmits it to a public GitHub repository and a remote API endpoint (mcp.daemon.example.com).
  • [EXTERNAL_DOWNLOADS]: The UpdateDaemon and DeployDaemon workflows execute 'bun install' within the skill's Mcp directory, which downloads and installs external Node.js packages from a remote registry at runtime.
  • [COMMAND_EXECUTION]: Utilizes various shell commands including 'git push', 'curl', and 'bun' to manage data synchronization, deployment, and local notifications to a voice server on localhost.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8). Ingestion points: The skill aggregates content from numerous markdown files in the user's PAI system (e.g., MISSION.md, GOALS.md, Ideas/*.md). Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore embedded instructions within the ingested source data. Capability inventory: The skill can execute shell commands, perform git operations, and make network requests via curl. Sanitization: While SecurityFilter.ts performs PII redaction, it does not sanitize data against malicious instructions that could influence agent behavior during the update workflow.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — Daemon