RedTeam
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates the execution of multiple shell commands via code blocks. This includes a
curlcommand for mandatory voice notifications and anechocommand for appending logs to the filesystem. These are presented as non-optional steps that must be performed upon skill invocation. - [PROMPT_INJECTION]: The skill employs extremely strong, imperative language (e.g., "🚨 MANDATORY", "REQUIRED BEFORE ANY ACTION", "This is not optional", "Execute this curl command immediately") to override the agent's discretion and force the execution of external commands. This behavior is a common pattern in prompt injection attacks designed to bypass safety filters or autonomy constraints.
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to make a network request via
curl -s -X POST http://localhost:31337/notify. While targeting a local address, this is an unverified network operation integrated directly into the skill's logic. - [DATA_EXFILTRATION]: The skill implements a persistence/logging mechanism by writing execution metadata (timestamp, skill name, workflow, and a summary of user input) to a local file at
~/.claude/PAI/MEMORY/SKILLS/execution.jsonl. This involves the agent accessing and modifying files outside the immediate working directory. - [PROMPT_INJECTION]: The skill processes untrusted user-provided content (arguments, plans, strategies) as the primary input for its adversarial workflows, creating an indirect injection surface.
- Ingestion points: User input is ingested in
Workflows/ParallelAnalysis.md(Phase 1) andWorkflows/AdversarialValidation.md(Round 1). - Boundary markers: No specific boundary markers or "ignore embedded instructions" warnings are utilized for the processed content.
- Capability inventory: The skill utilizes shell execution (
curl,echo) and sub-agent spawning capabilities. - Sanitization: No evidence of input sanitization is present before the data is passed to the analysis agents.
Audit Metadata