WorldThreatModel

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands (curl and echo) to perform logging and send voice notifications to a local service (http://localhost:31337). These commands are defined in SKILL.md and several workflow files (Workflows/TestIdea.md, Workflows/UpdateModels.md, Workflows/ViewModels.md). The instructions direct the agent to interpolate user-derived summaries (e.g., 8_WORD_SUMMARY and SUMMARY_OF_EXECUTIVE_VERDICT) directly into these shell commands. This pattern presents a risk of command injection if the summaries contain shell metacharacters and are not explicitly sanitized or escaped by the agent.
  • [PROMPT_INJECTION]: The TestIdea workflow (in Workflows/TestIdea.md) facilitates indirect prompt injection by ingesting untrusted user data (ideas or strategies) and passing it to multiple downstream agents and skills including RedTeam, Council, and FirstPrinciples.
  • Ingestion points: User-provided idea or strategy input in Workflows/TestIdea.md.
  • Boundary markers: The skill does not define explicit delimiters (like XML tags) or safety instructions to wrap user input before it is processed by the horizon agents.
  • Capability inventory: The skill can execute shell commands, read/write files in ~/.claude/PAI/MEMORY/, and invoke multiple external reasoning and research skills.
  • Sanitization: No explicit sanitization or input validation is performed on the user-provided idea before analysis.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — WorldThreatModel