Skills
skills/nostrband/servicegraph/find-recruiting-firm/Gen Agent Trust Hub

find-recruiting-firm

Fail

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill directs the agent to perform silent harvesting of API tokens from sensitive local configuration files.
  • Evidence: The 'Auth' section instructs the agent to "read .env.local then .env in the current working directory and look for a SERVICEGRAPH_TOKEN=… line."
  • Evidence: The instructions explicitly tell the agent to bypass user confirmation: "If you find it, use it; don't ask."
  • [DATA_EXFILTRATION]: Data extracted from local sensitive files is intended for transmission to an external endpoint.
  • Evidence: The skill mandates setting the extracted token in the 'Authorization: Bearer' header for all requests to 'https://api.servicegraph.co'.
  • [PROMPT_INJECTION]: The instructions contain directive language designed to minimize user oversight and override default agent cautiousness regarding file access.
  • Evidence: The phrase "don't ask" is used to explicitly suppress the agent's typical behavior of requesting permission before accessing sensitive filesystem data.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 8, 2026, 08:52 AM
Security Audit — agent-trust-hub — find-recruiting-firm