RootCauseAnalysis
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute a shell command (
curl) upon every invocation to send a "voice notification" to a local service athttp://localhost:31337/notify. - [COMMAND_EXECUTION]: The skill mandates appending execution metadata to a persistent log file located at
~/.claude/PAI/MEMORY/SKILLS/execution.jsonlusing theechocommand. - [COMMAND_EXECUTION]: The execution log instruction is vulnerable to shell command injection. The
inputfield in the log is populated with an8_WORD_SUMMARYderived from user input. If this summary is not properly sanitized before being interpolated into the shell command, an attacker could inject arbitrary commands that would be executed by the host shell. - [DATA_EXFILTRATION]: The mandatory
curlcommand transmits internal skill state, including the workflow name and intended action, to a local network endpoint. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) as it ingests untrusted user data regarding incident details and incorporates a summary of this data into a shell command. There are no explicit boundary markers or sanitization steps documented to isolate this untrusted input from the command execution environment.
- Ingestion points: User-provided incident descriptions and summaries processed in the
SKILL.mdworkflows. - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the user data.
- Capability inventory: The skill utilizes
curlandbash(via theechocommand and shell redirection). - Sanitization: Absent. There is no evidence of escaping or validation of the
8_WORD_SUMMARYbefore its use in a shell context.
Audit Metadata