Skills
skills/gitbyeos/open-part-skills/switch-chat/Gen Agent Trust Hub

switch-chat

Warn

Audited by Gen Agent Trust Hub on May 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/gen.py script starts a local HTTP server on a random port to handle the 'write-back' feature. This server is configured with Access-Control-Allow-Origin: *, which allows malicious websites visited by the user to send unauthenticated POST requests to the local service. If the port is discovered (e.g., via port scanning), a remote attacker could overwrite the {skill}/assets/continue.html file with arbitrary content.
  • [PROMPT_INJECTION]: The skill is vulnerable to local Cross-Site Scripting (XSS). In scripts/gen.py, the title extracted from user-supplied Markdown is interpolated directly into the HTML template without sanitization. An attacker providing a malicious Markdown header could execute arbitrary JavaScript in the context of the local file when opened in a browser.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface.
  • Ingestion points: scripts/read.py reads content from assets/continue.html (the handoff document).
  • Boundary markers: None; the agent is instructed to simply 'follow the structured handoff text'.
  • Capability inventory: The skill allows file writing via scripts/gen.py and local server execution.
  • Sanitization: There is no validation or filtering of the content read from the HTML file before it is presented to the agent. Malicious instructions embedded in the handoff document could influence the agent's behavior in the new session.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 28, 2026, 11:19 AM
Security Audit — agent-trust-hub — switch-chat