Skills
skills/sethgammon/citadel/archon/Gen Agent Trust Hub

archon

Warn

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently executes shell commands and local scripts including node, git, and npm throughout its lifecycle.
  • Evidence: Commands found in SKILL.md include git stash push, npm run propagate, and multiple node invocations targeting files in .citadel/scripts/ and scripts/.
  • [REMOTE_CODE_EXECUTION]: The skill executes local scripts (telemetry-log.cjs, map-index.js, run-with-timeout.js, update-campaign.js) that are part of the skill's environment. While these are local, their execution is triggered by agent logic and they handle parameters derived from campaign states.
  • Evidence: node .citadel/scripts/telemetry-log.cjs, node scripts/map-index.js, and node -e "const {updatePhaseStatus} = require('./core/campaigns/update-campaign'); ...".
  • [DATA_EXFILTRATION]: The skill implements a telemetry logging system that transmits campaign and session events to an external service managed by the author's infrastructure.
  • Evidence: Frequent calls to node .citadel/scripts/telemetry-log.cjs --event {event-type} --agent {agent} --session {slug}.
  • [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core delegation and ingestion architecture.
  • Ingestion points: Reads content from CLAUDE.md, .planning/campaigns/*.md, .planning/coordination/claims/, and .planning/intake/ (SKILL.md Step 1 and Step 3).
  • Boundary markers: Absent. The instructions specify "Spawn a sub-agent with full context injection" including CLAUDE.md and "Relevant decisions from the campaign's Decision Log" without mention of escaping or delimiters.
  • Capability inventory: Extensive local script execution (node), version control operations (git), and project management commands (npm).
  • Sanitization: Absent. There is no evidence of filtering or validation for the content ingested from the repository files before injection into sub-agent prompts.
  • [DYNAMIC_EXECUTION]: The skill uses node -e to execute string-assembled JavaScript code for updating campaign statuses.
  • Evidence: node -e "const {updatePhaseStatus} = require('./core/campaigns/update-campaign'); updatePhaseStatus('.planning/campaigns/{slug}.md', {N}, 'complete');".
  • [PERSISTENCE]: The skill can establish long-running background processes (daemons) and configure "RemoteTrigger" or "watchdog triggers" to maintain activity across user sessions.
  • Evidence: Step 2.5 in SKILL.md describes the "Daemonize" process which writes to daemon.json and creates execution triggers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 5, 2026, 10:48 AM