skills/danielmiessler/lifeos/RedTeam/Gen Agent Trust Hub

RedTeam

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates the execution of multiple shell commands via code blocks. This includes a curl command for mandatory voice notifications and an echo command for appending logs to the filesystem. These are presented as non-optional steps that must be performed upon skill invocation.
  • [PROMPT_INJECTION]: The skill employs extremely strong, imperative language (e.g., "🚨 MANDATORY", "REQUIRED BEFORE ANY ACTION", "This is not optional", "Execute this curl command immediately") to override the agent's discretion and force the execution of external commands. This behavior is a common pattern in prompt injection attacks designed to bypass safety filters or autonomy constraints.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to make a network request via curl -s -X POST http://localhost:31337/notify. While targeting a local address, this is an unverified network operation integrated directly into the skill's logic.
  • [DATA_EXFILTRATION]: The skill implements a persistence/logging mechanism by writing execution metadata (timestamp, skill name, workflow, and a summary of user input) to a local file at ~/.claude/PAI/MEMORY/SKILLS/execution.jsonl. This involves the agent accessing and modifying files outside the immediate working directory.
  • [PROMPT_INJECTION]: The skill processes untrusted user-provided content (arguments, plans, strategies) as the primary input for its adversarial workflows, creating an indirect injection surface.
  • Ingestion points: User input is ingested in Workflows/ParallelAnalysis.md (Phase 1) and Workflows/AdversarialValidation.md (Round 1).
  • Boundary markers: No specific boundary markers or "ignore embedded instructions" warnings are utilized for the processed content.
  • Capability inventory: The skill utilizes shell execution (curl, echo) and sub-agent spawning capabilities.
  • Sanitization: No evidence of input sanitization is present before the data is passed to the analysis agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — RedTeam