RootCauseAnalysis

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the agent to execute a shell command (curl) upon every invocation to send a "voice notification" to a local service at http://localhost:31337/notify.
  • [COMMAND_EXECUTION]: The skill mandates appending execution metadata to a persistent log file located at ~/.claude/PAI/MEMORY/SKILLS/execution.jsonl using the echo command.
  • [COMMAND_EXECUTION]: The execution log instruction is vulnerable to shell command injection. The input field in the log is populated with an 8_WORD_SUMMARY derived from user input. If this summary is not properly sanitized before being interpolated into the shell command, an attacker could inject arbitrary commands that would be executed by the host shell.
  • [DATA_EXFILTRATION]: The mandatory curl command transmits internal skill state, including the workflow name and intended action, to a local network endpoint.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) as it ingests untrusted user data regarding incident details and incorporates a summary of this data into a shell command. There are no explicit boundary markers or sanitization steps documented to isolate this untrusted input from the command execution environment.
  • Ingestion points: User-provided incident descriptions and summaries processed in the SKILL.md workflows.
  • Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the user data.
  • Capability inventory: The skill utilizes curl and bash (via the echo command and shell redirection).
  • Sanitization: Absent. There is no evidence of escaping or validation of the 8_WORD_SUMMARY before its use in a shell context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — RootCauseAnalysis