customizing-statusline
Warn
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions and code examples (in
references/api.mdandreferences/examples.md) encourage the generation of code that usesnode:child_process.execFileto run shell commands such asgit,gh, andosascripton the host system. - [DATA_EXFILTRATION]: The migration guide in
references/migration.mddirects the agent to read sensitive shell configuration files, including~/.zshrc,~/.bashrc,~/.bash_profile, and~/.profile, to extract user prompt settings. These files often contain sensitive information such as environment variables, API tokens, and aliases. - [REMOTE_CODE_EXECUTION]: The skill's primary function is the dynamic generation of executable TypeScript React (
.tsx) mod files at~/.letta/mods/statusline.tsx. This code is persisted to the filesystem and executed by the host application runtime. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from existing mod files, user-provided shell scripts, and system configuration files.
- Ingestion points:
~/.letta/mods/statusline.tsx, user-provided.shscripts, and shell profile files (.bashrc, etc.) are read into the agent context. - Boundary markers: The instructions do not specify the use of boundary markers or delimiters when ingesting this data.
- Capability inventory: The skill has the capability to write files to the user's home directory and execute shell commands via the generated mod code.
- Sanitization: There are no explicit instructions to sanitize or validate the content extracted from these files before incorporating it into the generated statusline mod.
Audit Metadata