tg-responder
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/worker.pyscript executes external commands usingsubprocess.runto call theclaudeCLI and a separatetelegram_fetch.pyscript located in a sibling skill directory. The implementation uses a list of arguments to prevent shell injection. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from incoming Telegram messages to categorize them and draft replies.
- Ingestion points: Incoming message text is retrieved from the
inboxSQLite table and passed to the LLM viascripts/worker.py. - Boundary markers: The
prompts/classify.mdsystem prompt lacks explicit delimiters or instructions to ignore commands within the message text. - Capability inventory: The skill can draft responses and auto-send templates via
subprocess.runcalls. - Sanitization: The script uses
json.dumpsfor command-line arguments and explicitly removesANTHROPIC_API_KEYfrom the environment of child processes to mitigate potential credential theft if the LLM is compromised via injection.
Audit Metadata