show-and-tell
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths containing agent session transcripts located in
~/.claude/projects/*.jsonl. These logs contain a full history of the agent's work and potential data exposure, though the skill instructions mandate manual redaction of PII and credentials. - [DATA_EXFILTRATION]: The skill fetches data from external workspace platforms, specifically Slack (via Atlas MCP) and Notion (via Notion MCP), to curate activity highlights.
- [COMMAND_EXECUTION]: The skill invokes various bash commands to gather project status and generate evidence for the demo, including
git,gh,pnpm, andcurl. This provides a significant capability surface for any instructions processed by the agent. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests and summarizes untrusted data from Slack messages and Notion pages. Maliciously crafted content in these external sources could influence the agent's behavior during the curation or evidence-gathering phases.
- Ingestion points: Slack activity (Atlas MCP), Notion pages (Notion MCP), and local session history files (SKILL.md).
- Boundary markers: None explicitly defined in the aggregation or curation logic to delimit untrusted content.
- Capability inventory: Execution of arbitrary shell commands (
pnpm,curl,bash), file system writes to project directories, and broad data retrieval across multiple platforms (SKILL.md). - Sanitization: The skill relies on a high-level instruction to redact sensitive data before delivery but lacks automated validation or filtering of the ingested external content.
Audit Metadata