weekly-review
Warn
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using the
bashtool. In Step 0, it executes${QMD_BIN} update && ${QMD_BIN} embed, whereQMD_BINis a variable dynamically read from a local configuration file (.claude/bulletjournal.local.md). Additionally, Step 5 explicitly instructs the agent to runqmd getvia shell to retrieve project status. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it aggregates content from various markdown files into a structured review.
- Ingestion points: Reads multiple files from
daily/and10-Projects/directories (SKILL.md steps 3, 4, and 5). - Boundary markers: None. The skill does not instruct the agent to treat the content of the notes as data only or to ignore embedded instructions.
- Capability inventory: File system write access (
Writetool used in step 8) and shell command execution (bashtool used forqmdcommands). - Sanitization: None. The skill does not perform any validation, escaping, or filtering on the content retrieved from the daily notes before processing it or including it in the final summary output.
Audit Metadata