greeting-checkin
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a mechanism in section '3b. Execute auto_actions from announcements' that automatically executes shell instructions or agent commands extracted from the frontmatter of external markdown files. These files are sourced from cloud-synced directories (OneDrive, iCloud, Dropbox, etc.), which are considered external to the repository and potentially untrusted. The instructions are executed 'immediately' without prompting the user for confirmation.
- [COMMAND_EXECUTION]: The skill frequently invokes local Node.js scripts via the shell, including
.github/scripts/upgrade-self.cjs,.github/scripts/_registry.cjs, and.github/muscles/heir-doctor.cjs. It also performs automated git operations (staging and committing) based on the results of the auto-actions. - [PROMPT_INJECTION]: The skill contains a significant Indirect Prompt Injection surface (Category 8). It ingests untrusted data from external announcement files and uses specific fields (
auto_actions,if_exists,if_absent) to direct the agent's behavior. - Ingestion points: Files located in
<AI-Memory-Root>/announcements/alex-act/*.md. - Boundary markers: None. The skill specifies that these are 'Supervisor-issued maintenance commands' to be followed without question.
- Capability inventory: Execution of arbitrary instructions, running Node.js scripts, and committing to the repository.
- Sanitization: There is no evidence of validation or sanitization of the instruction strings before execution.
Recommendations
- AI detected serious security threats
Audit Metadata