Skills
skills/smixs/osint-skill/osint/Gen Agent Trust Hub

osint

Fail

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [DATA_EXFILTRATION]: The skill is explicitly designed to access and analyze highly sensitive personal data from the local system. It searches for and processes Telegram chat history (using tg.py), local email correspondence (via the himalaya tool), and contact/CRM information stored in the workspace vault (specifically vault/crm/ and vault/contacts/). This private data is extracted, processed, and subsequently sent to external third-party AI services including Perplexity, Exa, and Tavily to generate dossiers and psychoprofiles, constituting a high-risk exfiltration of private user communications.
  • [COMMAND_EXECUTION]: The skill makes extensive use of local shell scripts to orchestrate complex toolchains. It executes various external CLI tools and interpreters, including curl, node, himalaya, and tg.py. The first-volley.sh script specifically launches multiple background search processes in parallel, which provides a significant footprint for command execution across the system.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because its core functionality involves the recursive extraction and analysis of unverified data from across the web.
  • Ingestion points: The skill ingests YouTube transcripts, personal blog content, and social media profile data (LinkedIn, Instagram, Facebook, TikTok) as documented in SKILL.md and the references/ directory.
  • Boundary markers: Extracted text is interpolated into analysis prompts for services like Perplexity and Exa without the use of delimiters or instructions to ignore embedded commands, allowing malicious instructions in a target's bio or transcript to potentially hijack the agent's logic.
  • Capability inventory: The skill possesses high-privilege capabilities including reading private messages and emails, executing network requests, and running shell scripts.
  • Sanitization: There is no evidence of sanitization or validation performed on data scraped from the internet before it is processed by the LLM or used to generate output dossiers.
  • [CREDENTIALS_UNSAFE]: Several scripts, including apify.sh, jina.sh, and parallel.sh, are hardcoded to look for API tokens and search engine keys in plain-text files within the workspace (e.g., scripts/apify-api-token.txt). This reliance on searching for secrets in predictable, unencrypted local file paths increases the risk of credential exposure if the workspace environment is compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 22, 2026, 01:27 PM