magic-todo
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Hardcoded absolute file paths in the instructions reveal the local system's user account name and internal directory structure.
- Evidence: The skill explicitly references paths including
/Users/alice/v/scripts/magic_todo_mlx.py,/Users/alice/v/magic-todo-org/emacs/magic-todo-org.el, and/Users/alice/vi/plurigrid.org/plurigrid-basinator.org. - [COMMAND_EXECUTION]: The skill provides direct instructions to execute a local Python script from a specific virtual environment on the host machine.
- Evidence: CLI usage examples demonstrate execution of
/Users/alice/v/scripts/magic_todo_mlx.pyusing the binary at/Users/alice/v/.venv-mlx-lm/bin/python. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes untrusted user input to generate content that is subsequently written to local files.
- Ingestion points: User-provided task descriptions piped via stdin as shown in
SKILL.md. - Boundary markers: There are no specific delimiters or instructions to ignore embedded commands within the user-supplied task input.
- Capability inventory: The workflow involves writing and appending LLM-generated content to local
.orgfiles. - Sanitization: No evidence of sanitization or validation of the generated output is provided before the file-write operation occurs.
Audit Metadata