tg-responder

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/worker.py script executes external commands using subprocess.run to call the claude CLI and a separate telegram_fetch.py script located in a sibling skill directory. The implementation uses a list of arguments to prevent shell injection.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from incoming Telegram messages to categorize them and draft replies.
  • Ingestion points: Incoming message text is retrieved from the inbox SQLite table and passed to the LLM via scripts/worker.py.
  • Boundary markers: The prompts/classify.md system prompt lacks explicit delimiters or instructions to ignore commands within the message text.
  • Capability inventory: The skill can draft responses and auto-send templates via subprocess.run calls.
  • Sanitization: The script uses json.dumps for command-line arguments and explicitly removes ANTHROPIC_API_KEY from the environment of child processes to mitigate potential credential theft if the LLM is compromised via injection.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 12:20 PM
Security Audit — agent-trust-hub — tg-responder