ops-go
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from external sources including Slack messages, Notion comments, and WhatsApp chats, creating a surface for indirect prompt injection. \n
- Ingestion points: Data entering the agent via mcp__claude_ai_Slack tools, mcp__claude_ai_Notion tools, and wacli CLI outputs in SKILL.md. \n
- Boundary markers: Absent. No explicit delimiters or instructions to ignore embedded commands within the analyzed communication data are provided in the instructions. \n
- Capability inventory: The skill has access to sensitive tools such as TaskCreate, CronCreate, SendMessage, and WebFetch. \n
- Sanitization: No sanitization or content validation is performed on the ingested message data before it is processed by the AI for the briefing. \n- [COMMAND_EXECUTION]: The skill executes local binaries and shell scripts (e.g., ops-infra, ops-git, ops-unread) using the dynamic context injection syntax and the Bash tool to gather system status information. It also uses the CronCreate tool to schedule recurring actions based on user confirmation. \n- [EXTERNAL_DOWNLOADS]: Fetches calendar data from Google's official API (googleapis.com) using WebFetch. This targets a well-known service and the usage is consistent with the skill's intended purpose for calendar enrichment.
Audit Metadata