split-expenses
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary functionality is implemented by executing the
hledgerbinary and internal Python scripts (scripts/tab_calc.py,scripts/tab_helpers.py) usingsubprocess.runto interact with ledger files based on user input.\n- [EXTERNAL_DOWNLOADS]: Thereferences/installing-hledger.mddocumentation provides links to fetch thehledgerbinary from its official project repository on GitHub.\n- [REMOTE_CODE_EXECUTION]: The installation guide suggests a command that downloads and extracts a binary archive from the hledger project's GitHub releases directly to system paths using a piped command.\n- [COMMAND_EXECUTION]: The agent is instructed to runmise installautomatically and without user confirmation if a configuration file is detected in the project root, which could allow for the execution of installation logic defined in local project files.\n- [COMMAND_EXECUTION]: The installation reference suggests usingsudoto acquire administrative privileges when installing prerequisites via system package managers likeaptorxbps.\n- [PROMPT_INJECTION]: The skill processes untrusted data from user descriptions and thenotesfield intab.yaml, creating an indirect prompt injection surface when generating summaries or journal entries.\n - Ingestion points: User-provided expense descriptions and the
notesarray intab.yaml.\n - Boundary markers: None provided in prompt instructions or script outputs.\n
- Capability inventory: Execution of shell commands and Python scripts using
subprocess.run.\n - Sanitization: No validation or escaping is performed on external text inputs before processing.
Audit Metadata