WorldThreatModel
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands to provide user notifications and maintain execution logs.\n
- Evidence:
SKILL.mdcontains a template for sending voice notifications viacurlto a local endpoint athttp://localhost:31337/notify.\n - Evidence:
SKILL.mdspecifies a logging mechanism that usesechoand thedatecommand to append activity data to~/.claude/PAI/MEMORY/SKILLS/execution.jsonl.\n - Evidence: Workflow files (
TestIdea.md,UpdateModels.md,ViewModels.md) integrate thesecurlcommands to signal the start and completion of processes.\n- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection due to its multi-step data processing workflow.\n - Ingestion points:
UpdateModels.md(Step 3) uses a research tool to fetch data from external web sources to populate model documents across 11 time horizons.\n - Boundary markers: The skill does not employ delimiters or specific instructions to the agent to treat researched content as untrusted data in
ModelTemplate.mdor the associated workflows.\n - Capability inventory: The skill can execute system commands (
curl,echo) and orchestrates several advanced analysis tools includingRedTeam,FirstPrinciples, andCouncil.\n - Sanitization: Data retrieved from the web is stored directly in markdown files and subsequently read by the agent in
TestIdea.mdwithout validation or escaping of potential instructions embedded in the content.
Audit Metadata