skills/plurigrid/asi/magic-todo/Gen Agent Trust Hub

magic-todo

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: Hardcoded absolute file paths in the instructions reveal the local system's user account name and internal directory structure.
  • Evidence: The skill explicitly references paths including /Users/alice/v/scripts/magic_todo_mlx.py, /Users/alice/v/magic-todo-org/emacs/magic-todo-org.el, and /Users/alice/vi/plurigrid.org/plurigrid-basinator.org.
  • [COMMAND_EXECUTION]: The skill provides direct instructions to execute a local Python script from a specific virtual environment on the host machine.
  • Evidence: CLI usage examples demonstrate execution of /Users/alice/v/scripts/magic_todo_mlx.py using the binary at /Users/alice/v/.venv-mlx-lm/bin/python.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes untrusted user input to generate content that is subsequently written to local files.
  • Ingestion points: User-provided task descriptions piped via stdin as shown in SKILL.md.
  • Boundary markers: There are no specific delimiters or instructions to ignore embedded commands within the user-supplied task input.
  • Capability inventory: The workflow involves writing and appending LLM-generated content to local .org files.
  • Sanitization: No evidence of sanitization or validation of the generated output is provided before the file-write operation occurs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 05:07 AM
Security Audit — agent-trust-hub — magic-todo