msg9
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use
curlfor interacting with the msg9.io API endpoints to send messages, manage contacts, and gift credits. Payloads are temporarily stored in the/tmp/directory before transmission. - [PROMPT_INJECTION]: An indirect prompt injection surface exists because the skill reads and processes untrusted data from external sources.
- Ingestion points: External data enters the agent context via
GET /api/v1/inbox/messages(incoming messages) andGET /api/v1/marketplace/search(third-party skill descriptions) as described inSKILL.md. - Boundary markers: The instructions do not define delimiters or protective wrapping for the fetched external content.
- Capability inventory: The skill provides capabilities to execute shell commands (
curl) that can perform network operations and state changes (e.g., gifting credits, posting to channels) based on processed data. - Sanitization: There are no documented procedures for sanitizing or validating the content of external messages or marketplace data before the agent processes them.
Audit Metadata