kalopilot
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill employs a shell script (
scripts/pilot.sh) to manage API interactions. It usescurlto send requests tohttps://staging.kalodata.comand utilizes process IDs (PIDs) to track background execution and polling status. - [DATA_EXFILTRATION]: User authentication is handled through a KaloData API token stored in the user's home directory at
~/.kalopilot/token. This token is transmitted to the official service domain (kalodata.com) for authentication. This is an expected pattern for skills integrating with third-party APIs. - [COMMAND_EXECUTION]: The
scripts/pilot.shscript performs basic string interpolation to build JSON payloads (e.g.,payload="{\"query\": \"$question\"}"). While this does not present a shell injection risk when variables are handled by the agent, it represents a best-practice violation as it could lead to invalid JSON if user input contains unescaped double quotes. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes and displays data fetched from an external API (
staging.kalodata.com). The agent is instructed to rendertextandreportfields from the API response directly into the conversation. - Ingestion points: Data is received via the
scripts/pilot.sh resultcommand which reads from~/.kalopilot/result.json. - Boundary markers: No specific delimiters or safety instructions are provided to the agent to treat the API response as untrusted data.
- Capability inventory: The skill has capabilities to execute shell commands via
scripts/pilot.sh(includingcurlandrm) and read/write files in the~/.kalopilot/directory. - Sanitization: No sanitization or validation of the API-returned content is performed before presentation to the user.
Audit Metadata