flowhunt
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npxanduvxto execute remote code from the internet during both setup and runtime. Specifically, it executes packages like@korotovsky/slack-mcp-server,imessage-mcp,telegram-mcp, anddiscord-mcpwhich are maintained by individual third-party contributors. The use of the-yflag in npx bypasses user confirmation for package execution. - [EXTERNAL_DOWNLOADS]: The skill fetches software from various external sources, including ActivityWatch binaries, the
uvtool from Astral, and extensions from the Chrome Web Store and Mozilla Add-ons. It also directs the agent to install a Workspace extension for Gemini from a third-party GitHub repository (gemini-cli-extensions/workspace). - [DATA_EXFILTRATION]: The skill processes highly sensitive personal information, including the content of private messages from Slack, iMessage, and Telegram, as well as full email bodies and calendar details. While the instructions claim local processing, this breadth of access by unverified third-party code represents a significant data exposure surface.
- [COMMAND_EXECUTION]: There is extensive use of dynamic shell command generation (bash, curl, jq) to interact with local services, APIs, and the file system across multiple platforms (Claude Code, Codex, Gemini).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted external data (emails and chat messages) and processes it as high-priority input for analysis without using explicit boundary markers or sanitization. An attacker could potentially manipulate the agent's audit findings or instructions by sending a malicious message or email to the user.
Audit Metadata