PrivateInvestigator

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Mandatory shell command execution for notifications. The skill instructs the agent to execute a curl command to a local server (http://localhost:8888/notify) immediately upon invocation and at the start of every workflow. This pattern attempts to bypass user review for tool execution and creates a potential command injection vector if user-provided content is interpolated into the notification message.
  • [COMMAND_EXECUTION]: Dynamic resource loading from local paths. The skill directives include checking a specific local directory (~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/PrivateInvestigator/) to load and apply PREFERENCES.md and other resources that override default behavior. This introduces a risk of unauthorized capability modification if the local filesystem is compromised or if malicious configuration files are placed in the directory.
  • [EXTERNAL_DOWNLOADS]: Instructions for third-party software installation. The documentation within the workflows explicitly guides the agent or user to install external Python packages such as holehe and sherlock-project using pip, which introduces supply chain considerations for the execution environment.
  • [PROMPT_INJECTION]: Large attack surface for indirect prompt injection. The skill ingests untrusted user data such as names, social handles, and emails in SKILL.md and multiple workflow files. This data is interpolated into prompts for 15 parallel research agents without explicit boundary markers or sanitization. Given the extensive capability inventory (including multi-agent task calls and shell commands), malicious data retrieved during investigation could influence agent behavior across the complex tool chain.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — PrivateInvestigator