dream
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The instruction file includes an unvalidated $ARGUMENTS placeholder at the end of the text, which allows user-supplied input to be directly appended to the agent's context, creating a surface for direct prompt injection.
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute multiple system commands, including 'git log', 'ghq list', and a local script 'dig.py', to gather information across all project directories.
- [DATA_EXFILTRATION]: The skill aggregates a wide range of potentially sensitive information, including session histories, abandoned work, open issues, and a 'Fleet Status' consisting of running processes and services. This aggregated data is then processed and stored via the 'oracle_learn' function.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests and summarizes data from untrusted external sources. * Ingestion points: Git commit messages, GitHub issue titles/bodies, session history logs, and system process names. * Boundary markers: No delimiters or specific instructions are provided to the agent to distinguish between data content and instructions. * Capability inventory: Executes shell commands (git, ghq, system tools), reads project files, and updates a central memory via MCP tools. * Sanitization: There is no mention of filtering, escaping, or validating the content retrieved from external repositories or system logs before processing.
Audit Metadata