system-architecture
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a suite of verification commands that allow an agent to query and control the host environment. This includes tools for Kubernetes management (
kubectl), macOS service orchestration (launchctl), VM management (colima), and network probes (curl). - [DATA_EXFILTRATION]: The documentation maps the locations of sensitive system resources, creating a discovery risk. It explicitly identifies paths for environment configurations (
~/.config/system-bus.env), gateway settings (~/.joelclaw/gateway/.pi/settings.json), and Kubernetes secrets (pi-auth,agent-identity). - [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface by grounding its reasoning in external, potentially untrusted data sources.
- Ingestion points: Reads the last 50 lines of
~/Vault/system/system-log.jsonland agent configurations in~/.joelclaw/gateway/AGENTS.md. - Boundary markers: No delimiters or instructions to ignore embedded commands within the log data are present.
- Capability inventory: High-privilege access to the system via
kubectl,launchctl, andcurlfor infrastructure modification. - Sanitization: No validation or sanitization logic is described for the ingested logs or markdown files.
- [COMMAND_EXECUTION]: The verification section contains an embedded Python script (`python
- <<'PY'
) used to read and parse local source files (packages/system-bus/src/inngest/functions/index.host.ts`) to count registered functions.
Audit Metadata