skills/danielmiessler/lifeos/Science/Gen Agent Trust Hub

Science

Fail

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The shell command templates provided in SKILL.md for the 'Voice Notification' and 'Execution Log' features are vulnerable to command injection. Placeholders such as 8_WORD_SUMMARY, ACTION, and WORKFLOWNAME are intended to be replaced with user-supplied or agent-generated strings, but the instructions do not mandate shell-escaping or sanitization. An attacker could craft input containing shell metacharacters (e.g., backticks or semicolons) to execute arbitrary code during the curl or echo operations.
  • [COMMAND_EXECUTION]: The skill instructs the agent to automatically execute shell commands (curl and echo) upon invocation. This includes appending JSON data to a persistent log file at ~/.claude/PAI/MEMORY/SKILLS/execution.jsonl, which tracks user interactions.
  • [DATA_EXFILTRATION]: The skill performs an automated, silent background network request (curl -s -X POST ... &) to http://localhost:31337/notify every time it is triggered. This transmits data about the agent's actions to a local network service without explicit user consent for each transaction.
  • [PROMPT_INJECTION]: The skill uses authoritative language (e.g., "🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)", "This is not optional") to coerce the agent into performing shell-based side effects before addressing user requests.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface in SKILL.md where it looks for user customizations at ~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/Science/. It is instructed to load and apply any PREFERENCES.md or resources found there, which 'override default behavior.' This allows a local attacker to gain persistence or alter agent behavior by placing files in this directory.
  • Ingestion points: User input is ingested into variables used for shell execution (ACTION, 8_WORD_SUMMARY).
  • Boundary markers: None identified in the prompt interpolation templates.
  • Capability inventory: The skill uses subprocess calls for curl, echo, and bun run (the latter referenced in Workflows/DesignExperiment.md).
  • Sanitization: No sanitization or escaping instructions are provided for shell-interpolated variables.
  • [COMMAND_EXECUTION]: The workflow Workflows/DesignExperiment.md references the execution of a local CLI tool using bun run ~/.claude/skills/Evals/EvalServer/cli-run.ts, which grants the skill the ability to run external scripts located in the user's home directory.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — Science