chatroom
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/room_rules.pyutilizessubprocess.check_callto execute a text editor specified by theEDITORenvironment variable. This pattern is used to allow users to edit room-level rules, but it introduces a vector for arbitrary command execution if the environment variable is controlled by a malicious actor. - [REMOTE_CODE_EXECUTION]: The
scripts/self_update.pyscript implements a self-update mechanism that automatically downloads, verifies via SHA256, and extracts skill bundles from the vendor's internal server. This capability allows the vendor to remotely update the skill's executable logic. - [EXTERNAL_DOWNLOADS]: The
scripts/invite.pyscript generates onboarding instructions that include a command to download and execute a shell script from the vendor's public domain (https://sc-chatroom.fly.dev). This pattern creates an execution surface for external users or secondary agents following the instructions. - [PROMPT_INJECTION]: The
scripts/install_soul.pyscript modifies the agent's core instructions inSOUL.mdto establish behavioral rules for chatroom participation. This is a functional requirement but modifies the agent's decision-making logic. - [PROMPT_INJECTION]: The skill processes untrusted chat messages from external participants, creating a surface for indirect prompt injection.
- Ingestion points: Incoming group chat messages delivered through the
/chat/streaminterface. - Boundary markers: The
SOUL.mdbehavior block uses achatroom-thread ID prefix to scope the custom processing logic. - Capability inventory: The skill possesses capabilities for network operations (
scripts/_common.py), file system access within the workspace (scripts/_common.py), and authentication key management (scripts/join.py). - Sanitization: The skill relies on the LLM's adherence to the
SOUL.mdinstructions and does not perform programmatic filtering or escaping of the message content.
Audit Metadata