weekly-review

Warn

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands using the bash tool. In Step 0, it executes ${QMD_BIN} update && ${QMD_BIN} embed, where QMD_BIN is a variable dynamically read from a local configuration file (.claude/bulletjournal.local.md). Additionally, Step 5 explicitly instructs the agent to run qmd get via shell to retrieve project status.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it aggregates content from various markdown files into a structured review.
  • Ingestion points: Reads multiple files from daily/ and 10-Projects/ directories (SKILL.md steps 3, 4, and 5).
  • Boundary markers: None. The skill does not instruct the agent to treat the content of the notes as data only or to ignore embedded instructions.
  • Capability inventory: File system write access (Write tool used in step 8) and shell command execution (bash tool used for qmd commands).
  • Sanitization: None. The skill does not perform any validation, escaping, or filtering on the content retrieved from the daily notes before processing it or including it in the final summary output.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 18, 2026, 06:25 PM
Security Audit — agent-trust-hub — weekly-review