Science
Fail
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The shell command templates provided in
SKILL.mdfor the 'Voice Notification' and 'Execution Log' features are vulnerable to command injection. Placeholders such as8_WORD_SUMMARY,ACTION, andWORKFLOWNAMEare intended to be replaced with user-supplied or agent-generated strings, but the instructions do not mandate shell-escaping or sanitization. An attacker could craft input containing shell metacharacters (e.g., backticks or semicolons) to execute arbitrary code during thecurlorechooperations. - [COMMAND_EXECUTION]: The skill instructs the agent to automatically execute shell commands (
curlandecho) upon invocation. This includes appending JSON data to a persistent log file at~/.claude/PAI/MEMORY/SKILLS/execution.jsonl, which tracks user interactions. - [DATA_EXFILTRATION]: The skill performs an automated, silent background network request (
curl -s -X POST ... &) tohttp://localhost:31337/notifyevery time it is triggered. This transmits data about the agent's actions to a local network service without explicit user consent for each transaction. - [PROMPT_INJECTION]: The skill uses authoritative language (e.g., "🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)", "This is not optional") to coerce the agent into performing shell-based side effects before addressing user requests.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface in
SKILL.mdwhere it looks for user customizations at~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/Science/. It is instructed to load and apply anyPREFERENCES.mdor resources found there, which 'override default behavior.' This allows a local attacker to gain persistence or alter agent behavior by placing files in this directory. - Ingestion points: User input is ingested into variables used for shell execution (
ACTION,8_WORD_SUMMARY). - Boundary markers: None identified in the prompt interpolation templates.
- Capability inventory: The skill uses subprocess calls for
curl,echo, andbun run(the latter referenced inWorkflows/DesignExperiment.md). - Sanitization: No sanitization or escaping instructions are provided for shell-interpolated variables.
- [COMMAND_EXECUTION]: The workflow
Workflows/DesignExperiment.mdreferences the execution of a local CLI tool usingbun run ~/.claude/skills/Evals/EvalServer/cli-run.ts, which grants the skill the ability to run external scripts located in the user's home directory.
Recommendations
- AI detected serious security threats
Audit Metadata