primitive-chat
Pass
Audited by Gen Agent Trust Hub on Jun 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The instructions direct the agent to send emails without seeking user confirmation when interacting with specific address prefixes such as help@, support@, or docs@. This encourages autonomous external communication that bypasses the user's explicit consent for outgoing data.
- [DATA_EXFILTRATION]: The skill provides a mechanism to send messages and data to external email addresses. While this is the intended functionality, it establishes a communication channel to third-party servers managed by the vendor.
- [COMMAND_EXECUTION]: The skill requires the execution of multiple shell commands to manage account signup, verification, and message transmission via the
primitiveCLI tool. - [EXTERNAL_DOWNLOADS]: The installation process involves downloading and globally installing the
@primitivedotdev/clipackage from the NPM registry. It also mentions usingnpxto add the skill, which executes remote code. - [SAFE]: (Indirect Prompt Injection) The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external email replies.
- Ingestion points: Email reply content returned by the
primitive chatcommand as described in SKILL.md. - Boundary markers: None identified; external content is processed directly by the agent without delimiters or warnings.
- Capability inventory: The agent has capabilities to execute shell commands, install packages, and perform network operations via the CLI (SKILL.md).
- Sanitization: No validation or sanitization of the email reply content is documented before the agent processes the data.
Audit Metadata