skills/danielmiessler/lifeos/OSINT/Gen Agent Trust Hub

OSINT

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates the execution of curl commands to http://localhost:8888/notify immediately upon invocation across several files (e.g., SKILL.md, Workflows/PeopleLookup.md). This allows for silent command execution as a prerequisite for skill operation.
  • [COMMAND_EXECUTION]: The skill uses shell command substitution $(jq -r ...) within file path definitions in SKILL.md and Workflows/CompanyDueDiligence.md to resolve local project directories, requiring the agent to execute external binaries for routine file management.
  • [PROMPT_INJECTION]: The skill employs forceful and mandatory language ('MANDATORY', 'REQUIRED', 'not optional', 'MUST') to compel the agent to execute shell and network tasks immediately upon invocation, which can be used to bypass user confirmation or safety guardrails.
  • [DATA_EXFILTRATION]: The mandatory notification system exfiltrates workflow metadata (names and actions) to a local network port via POST requests. While targeting localhost, this creates a mechanism for sensitive investigation state to be captured by local listeners.
  • [EXTERNAL_DOWNLOADS]: The skill extensively references external repositories and tools (e.g., github.com/jivoi/awesome-osint, github.com/owasp-amass/amass). References to well-known security tools and trusted organizations are documented as part of the intended OSINT functionality.
  • [PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface due to its core mission of deploying parallel researcher agents to ingest untrusted web data. Evidence:
  • Ingestion points: DiscoverOSINTSources.md and Workflows/ deploy subagents to scrape GitHub, social media, and web directories.
  • Boundary markers: Absent; task prompts lack delimiters or 'ignore instructions' warnings for external content.
  • Capability inventory: The agent possesses shell execution capabilities (curl, jq) and broad file system access to ~/.claude/ for storing results.
  • Sanitization: No validation or sanitization is performed on data retrieved by subagents before it is processed by the main agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 01:33 AM
Security Audit — agent-trust-hub — OSINT