getting-started
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local script using Node.js at
node .Codex/hooks/integration-concierge.cjs. This script is triggered automatically if the vault is less than 7 days old and has few integrations. The content of this script is not provided for review. - [REMOTE_CODE_EXECUTION]: In 'Flow C: Neither Calendar Nor Granola', the skill describes a process where it fetches API documentation from a user-provided or searched URL (
web_fetch(doc_url)), analyzes it, and then generates and executes new MCP (Model Context Protocol) server code. This represents a dynamic execution pattern where generated code is influenced by untrusted external data. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection in its 'Tool Integration Flow'.
- Ingestion points: The skill fetches content from external URLs (API documentation) via
web_fetch(base_url)in Flow C. - Boundary markers: There are no explicit instructions or delimiters mentioned to prevent the agent from obeying instructions embedded within the fetched API documentation.
- Capability inventory: The skill has the capability to write files, execute shell commands (Node.js), and generate/run new server code.
- Sanitization: No sanitization or validation of the fetched documentation content is described before it is passed to the code generation phase.
- [DATA_EXFILTRATION]: While the skill accesses sensitive system files like
.onboarding-complete,config.yaml, andusage_log.md, it primarily uses this data to customize the onboarding experience. However, the 'Tool Integration Flow' performs network operations (web_fetch) which, if combined with the access to system data, could theoretically be used for exfiltration, though no explicit exfiltration logic was detected.
Audit Metadata