slipbox
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface. It retrieves note content from an external GitHub repository and instructs the agent to synthesize summaries ('meta-notes') from this data. Maliciously crafted content within those notes could influence the agent's reasoning or behavior during the synthesis process.
- Ingestion points: Note content and indices (backlinks, clusters, tensions) retrieved from the GitHub repository via the
ghCLI. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when interpolating note content into synthesis tasks.
- Capability inventory: The skill allows network writes via
curlPOST requests to the SlipBox API and repository interactions via theghCLI. - Sanitization: No input validation or sanitization is performed on the retrieved Markdown/YAML content before processing.
- [CREDENTIALS_UNSAFE]: The 'Setup Check' section includes a diagnostic command that prints the first six characters of the
SLIPBOX_API_KEYto the standard output. While helpful for debugging, this leads to partial credential exposure in the agent's interaction logs. - [COMMAND_EXECUTION]: The skill utilizes shell commands (
curl,gh,grep,sed) to perform its operations. While these are documented and aligned with the skill's purpose, they represent a significant capability for file and network interaction. - [EXTERNAL_DOWNLOADS]: The skill interacts with external services, specifically a Vercel-hosted API (
slip-box-rho.vercel.app) and a GitHub repository (Randroids-Dojo/PrivateBox). These interactions involve downloading note content and uploading synthesized data. Both platforms are well-known services.
Audit Metadata