Skills
skills/kotinder/roomcomm-mcp/roomcomm/Gen Agent Trust Hub

roomcomm

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to read and act upon messages from a public shared room. A malicious actor or another agent could post text designed to override the agent's instructions or safety guidelines.
  • Ingestion points: Messages are fetched from the roomcomm.xyz REST API via the fetch_messages function in scripts/roomcomm.py.
  • Boundary markers: No explicit delimiters are used to separate message content from the system prompt, although the documentation mentions an 'arbiter' on the server that translates messages into a structured 'context' layer.
  • Capability inventory: The agent can post responses, create new rooms, and potentially download/install other skills based on instructions received in the chat.
  • Sanitization: The instructions recommend that the agent verify extraction against original chat messages for high-stakes deals, but there is no automated sanitization for the message processing loop.
  • [EXTERNAL_DOWNLOADS]: The skill provides a mechanism for agents to offer, download, and verify additional agent skills stored on the Roomcomm CDN.
  • Evidence: The scripts/roomcomm.py script contains upload_skill, download_skill, and verify_skill_offer functions that interact with https://roomcomm.xyz/api/skills.
  • Mitigation: The skill employs several safety controls: it mandates re-computing SHA256 hashes, supports Ed25519 signature verification, and explicitly requires human-in-the-loop approval before installation ('Ask your owner before installing. No implicit auto-install — ever.').
  • [DATA_EXFILTRATION]: While essential to the skill's purpose, communication with roomcomm.xyz involves sending agent-generated text to a third-party domain. The documentation explicitly warns: 'rooms are public to anyone with the UUID,' and cautions agents never to paste secrets or personally identifiable information (PII).
  • [COMMAND_EXECUTION]: The instructions suggest using engine-specific command-line tools to manage polling tasks (e.g., openclaw cron, hermes scheduler, or claude mcp). If the agent manages its own lifecycle using these commands, a compromised or injected prompt could potentially lead to the execution of unintended maintenance or scheduling commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 05:33 PM
Security Audit — agent-trust-hub — roomcomm