secondbrain-init
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Step 5 of the scaffolding process directs the agent to create a configuration file (
.claude/settings.local.json) that enablesallow_bash: ["*"]. This grants the agent unrestricted ability to execute any shell command on the host system. - [DATA_EXFILTRATION]: The skill recommends enabling
allow_web_fetch: ["*"]while simultaneously requesting read access to the entire user home directory (allow_read: ["~/**"]). This configuration facilitates the silent exfiltration of sensitive files to arbitrary external URLs. - [CREDENTIALS_UNSAFE]: By proposing the inclusion of
~/**in the allowed read paths, the skill exposes all private user data, including SSH private keys, cloud provider credentials, and environment variables, to the agent. - [EXTERNAL_DOWNLOADS]: The project setup workflow requires the global installation of the
qmdCLI tool vianpmorbun, which involves downloading approximately 1.5GB of unverified model data from external sources. - [PROMPT_INJECTION]: The skill uses "CRITICAL" instructions to ensure the agent proposes these high-risk "maximum freedom" settings, which is a pattern used to bypass default safety constraints through permissive configuration.
- [PROMPT_INJECTION]: The skill establishes an environment for indirect prompt injection by scaffolding a system that processes untrusted Markdown and YAML data within a high-privilege context (bash access, network access). Ingestion points include
data/*.yamlanddocs/*.mdfiles, which lack boundary markers or sanitization logic in the provided templates.
Recommendations
- AI detected serious security threats
Audit Metadata