Skills
skills/derek-x-wang/skills/os-inbox/Gen Agent Trust Hub

os-inbox

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is designed to ingest and follow instructions from external files in the inbox/ directory, creating a vulnerability to indirect prompt injection.
  • Ingestion points: The agent is instructed to read all files matching the pattern inbox/os-*.md in SKILL.md.
  • Boundary markers: Absent. There are no instructions to the agent to treat the file content as data only or to ignore embedded commands.
  • Capability inventory: The skill has the capability to execute shell commands via git and rm, and to modify the repository state.
  • Sanitization: Absent. The content of the task files is presented directly to the user and followed by the agent as a primary workflow.
  • [COMMAND_EXECUTION]: The skill performs several shell operations to manage the inbox.
  • It executes git fetch, git ls-tree, and git pull to synchronize tasks from a remote repository.
  • It performs file system operations such as ls and rm to detect and clean up task files.
  • [DATA_EXPOSURE]: The skill documentation includes a hardcoded absolute local path (/Users/derekxwang/Development/projects/DXW/mono/os). While this identifies the author's local environment, it does not expose sensitive credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 04:03 AM