zephyr
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use Bash commands to check the
ZEPHYR_BAKE_LOG_DIRenvironment variable at runtime. While intended for configuration, this pattern encourages the use of shell execution for tasks that might have safer alternatives. - Mitigation: Utilize native platform methods for accessing environment variables rather than executing shell commands.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted text (such as speech-to-text transcriptions of voice memos) from various documents without sanitization.
- Ingestion points: The routing logic in
ROUTING.mdreads from documents containing mixed content to identify and extract entries. - Boundary markers: Absent. The skill identifies entries using the "For Zephyr N" pattern, which does not provide a secure boundary against instructions embedded in the processed data.
- Capability inventory: The skill has the capability to read, write, create, and delete file content (via its default
movemode) within the local file system, specifically targeting an Obsidian Vault. - Sanitization: No sanitization or instruction-filtering is performed on the body of the extracted entries before they are written to target logs.
- Mitigation: Implement strict delimiters for processed data and provide the agent with explicit instructions to ignore any potential commands or directives found within the entry content.
Audit Metadata