chatroom

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/room_rules.py utilizes subprocess.check_call to execute a text editor specified by the EDITOR environment variable. This pattern is used to allow users to edit room-level rules, but it introduces a vector for arbitrary command execution if the environment variable is controlled by a malicious actor.
  • [REMOTE_CODE_EXECUTION]: The scripts/self_update.py script implements a self-update mechanism that automatically downloads, verifies via SHA256, and extracts skill bundles from the vendor's internal server. This capability allows the vendor to remotely update the skill's executable logic.
  • [EXTERNAL_DOWNLOADS]: The scripts/invite.py script generates onboarding instructions that include a command to download and execute a shell script from the vendor's public domain (https://sc-chatroom.fly.dev). This pattern creates an execution surface for external users or secondary agents following the instructions.
  • [PROMPT_INJECTION]: The scripts/install_soul.py script modifies the agent's core instructions in SOUL.md to establish behavioral rules for chatroom participation. This is a functional requirement but modifies the agent's decision-making logic.
  • [PROMPT_INJECTION]: The skill processes untrusted chat messages from external participants, creating a surface for indirect prompt injection.
  • Ingestion points: Incoming group chat messages delivered through the /chat/stream interface.
  • Boundary markers: The SOUL.md behavior block uses a chatroom- thread ID prefix to scope the custom processing logic.
  • Capability inventory: The skill possesses capabilities for network operations (scripts/_common.py), file system access within the workspace (scripts/_common.py), and authentication key management (scripts/join.py).
  • Sanitization: The skill relies on the LLM's adherence to the SOUL.md instructions and does not perform programmatic filtering or escaping of the message content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 08:11 AM
Security Audit — agent-trust-hub — chatroom