tg
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bootstrap script
auth.shusessudoto create a symlink in the system-wide/usr/local/bindirectory, which represents a request for elevated administrative privileges on the host system. - [COMMAND_EXECUTION]: The skill executes a bundled binary (
bin/tg) and a shell script (auth.sh) distributed within the skill's file structure. - [DATA_EXFILTRATION]: The skill instructions direct the agent to read the user's SSH public key from the sensitive file path
~/.ssh/id_ed25519.puband transmit it to the Tangled service during registration. - [CREDENTIALS_UNSAFE]: The skill retrieves and processes sensitive ATProto/Bluesky app passwords from environment variables (
ATPROTO_APP_PASSWORDandBSKY_APP_PASSWORD). While standard for this protocol, these secrets are handled by the local bootstrap script. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by processing untrusted content from external Tangled issues and pull requests.
- Ingestion points: Data fetched via
tg issue viewandtg pr viewfrom external repositories. - Boundary markers: No specific delimiters or safety instructions are provided to the agent to distinguish between platform data and user instructions.
- Capability inventory: Execution of local scripts/binaries, network communication, and repository cloning into the local workspace.
- Sanitization: The skill lacks explicit sanitization or validation mechanisms for content retrieved from external sources before it is processed by the agent.
Audit Metadata