Skills
skills/tyronczt/ai-exploration/daily-report/Gen Agent Trust Hub

daily-report

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The .claude/settings.local.json file permits the execution of npx skills *. This command allows the agent to download and execute arbitrary packages from the npm registry, which is a significant remote code execution vector.
  • [REMOTE_CODE_EXECUTION]: The permission Bash(curl *) in .claude/settings.local.json allows the agent to download content from any URL. If combined with execution tools (like bash or python), this can be used to run arbitrary remote scripts.
  • [DATA_EXFILTRATION]: The Bash(curl *) wildcard permission enables the agent to send any local data, including the codebase or environment variables, to an external server via HTTP requests.
  • [DATA_EXFILTRATION]: The daily-report skill allows users to provide an arbitrary Git repository URL for archiving generated reports. The agent performs git push to this URL, which could be leveraged to exfiltrate report data containing summarized code and collaboration details to an attacker-controlled repository.
  • [EXTERNAL_DOWNLOADS]: The configuration file explicitly allows fetching data from skills.sh and agentskills.io. These are third-party domains not recognized as standard or trusted services within the analysis framework.
  • [COMMAND_EXECUTION]: The skill executes multiple shell commands (git log, git show, git diff, git clone, git push) based on user-provided inputs like repository paths and URLs. These inputs are used directly in shell execution without explicit sanitization patterns documented in the skill instructions.
  • [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by ingesting and summarizing git log and git diff output. Maliciously crafted commit messages or code comments could contain instructions designed to manipulate the agent's summary generation or subsequent actions.
  • Ingestion points: git log, git show, git diff (analyzed in SKILL.md Phase 2 & 4)
  • Boundary markers: No explicit delimiters or instructions are used to separate the git data from the agent's instructions.
  • Capability inventory: Access to bash for command execution and file writing.
  • Sanitization: No sanitization or filtering of the commit content is performed prior to LLM analysis beyond basic keyword noise filtering.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 10:01 AM
Security Audit — agent-trust-hub — daily-report