Skills
skills/glebis/claude-skills/tg-responder/Gen Agent Trust Hub

tg-responder

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/worker.py script executes the claude CLI and a helper script from a separate telegram skill using subprocess.run. These executions are performed using argument lists without a shell wrapper, which effectively prevents command injection from the processed message content.
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it processes untrusted Telegram messages that are interpolated into a classification prompt. While the skill uses JSON to wrap the input, an adversarial message could attempt to manipulate the LLM's classification or drafting logic.
  • Ingestion points: Incoming Telegram message text is read from the inbox table in scripts/worker.py and passed to the classification engine.
  • Boundary markers: The user-provided message text is serialized into a JSON object using json.dumps before being passed to the Claude CLI as a prompt argument.
  • Capability inventory: The skill has the capability to read local files, manage a local database, and trigger message sending via the telegram skill's scripts.
  • Sanitization: External content is sanitized via JSON encoding to prevent it from escaping the input field in the prompt structure.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 06:07 PM