WorldThreatModel
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands (
curlandecho) to perform logging and send voice notifications to a local service (http://localhost:31337). These commands are defined inSKILL.mdand several workflow files (Workflows/TestIdea.md,Workflows/UpdateModels.md,Workflows/ViewModels.md). The instructions direct the agent to interpolate user-derived summaries (e.g.,8_WORD_SUMMARYandSUMMARY_OF_EXECUTIVE_VERDICT) directly into these shell commands. This pattern presents a risk of command injection if the summaries contain shell metacharacters and are not explicitly sanitized or escaped by the agent. - [PROMPT_INJECTION]: The
TestIdeaworkflow (inWorkflows/TestIdea.md) facilitates indirect prompt injection by ingesting untrusted user data (ideas or strategies) and passing it to multiple downstream agents and skills includingRedTeam,Council, andFirstPrinciples. - Ingestion points: User-provided idea or strategy input in
Workflows/TestIdea.md. - Boundary markers: The skill does not define explicit delimiters (like XML tags) or safety instructions to wrap user input before it is processed by the horizon agents.
- Capability inventory: The skill can execute shell commands, read/write files in
~/.claude/PAI/MEMORY/, and invoke multiple external reasoning and research skills. - Sanitization: No explicit sanitization or input validation is performed on the user-provided idea before analysis.
Audit Metadata