money-ops

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions and specific command-line snippets for setting up persistence via system-level cron jobs (e.g., 0 6 * * * claude -p "..."). It also facilitates automated task execution using the Claude CLI and the /schedule capability, which involves running shell-based prompts without direct human intervention.
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it is designed to ingest and process untrusted external data sources.
  • Ingestion points: The orchestrator reads "application logs", "competitive scan" data (external website content), "social media engagement" comments, and "blog/social content" to inform its decision-making and reporting.
  • Boundary markers: The instructions do not define boundary markers or delimiters to separate untrusted data from system instructions, nor do they include warnings for the agent to ignore embedded commands in these sources.
  • Capability inventory: The skill has access to sensitive capabilities including modifying production databases, sending emails via external services (SendGrid), and changing pricing or payment settings.
  • Sanitization: There is no evidence of sanitization or validation routines for the external data before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 03:34 PM
Security Audit — agent-trust-hub — money-ops