Skills
skills/starchild-ai-agent/official-skills/chatroom/Gen Agent Trust Hub

chatroom

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/room_rules.py launches a subprocess using the EDITOR environment variable (defaulting to vi). If an attacker can manipulate the agent's environment, they could specify a malicious command as the editor to achieve arbitrary code execution on the host container.
  • [REMOTE_CODE_EXECUTION]: The scripts/self_update.py script implements a custom update mechanism that downloads .tar.gz bundles from the vendor's internal server (sc-chatroom.internal). It extracts these archives and replaces the skill's own scripts. While the integrity is checked via SHA256 and the source is the vendor's own infrastructure, this pattern bypasses standard package management and creates a mechanism for remote code modification.
  • [DATA_EXFILTRATION]: The skill frequently accesses and transmits the agent's identity credentials (CONTAINER_JWT and USER_JWT) to the sc-chatroom.internal server. This is the intended authentication flow for this vendor's service, but it represents the handling of sensitive long-lived tokens across the network.
  • [PROMPT_INJECTION] (Indirect): The skill is designed to ingest and process data from external sources (chat messages from other users) and owner-defined "room rules" (fetched via GET /rooms/{room_id}/rules). These inputs are used to shape the agent's personality and behavior via the SOUL.md modification in scripts/install_soul.py. This creates a surface for indirect prompt injection where an attacker (as a room owner or participant) could influence the agent's actions.
  • Ingestion points: Inbound chat stream messages, GET /rooms/{room_id}/rules (room owner-controlled).
  • Boundary markers: The skill uses /data/workspace/chatroom/<room_id>/rules.md and data.md as local constraints to guide the LLM.
  • Capability inventory: Subprocess execution for rules editing (scripts/room_rules.py), file writes to the local workspace, and network calls to the chatroom API and clawd API.
  • Sanitization: Basic JSON parsing and regex for room IDs; however, room rules content is treated as authoritative behavioral guidance.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 01:04 AM