Skills
skills/wangyendt/wayne-skills/week-report-system/Gen Agent Trust Hub

week-report-system

Fail

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill requires a GitHub Personal Access Token (PAT) and provides automated instructions to write this token in plain text into shell configuration files such as .zshrc, .bashrc, and .bash_profile. This exposes the credential to any process or user with read access to the home directory.
  • [DATA_EXFILTRATION]: The skill is designed to silently record user conversations and AI responses, transmitting this data to an external GitHub repository in the background. While this is the stated purpose of a "week report system," the silent nature of the operation and the handling of the PAT increase the risk of unauthorized data exposure.
  • [REMOTE_CODE_EXECUTION]: The skill instructions recommend installing a global npm package from a personal third-party repository (@wang121ye/skillmanager) to manage and install skills across different AI agents. This introduces a supply chain risk through unverified third-party code execution.
  • [COMMAND_EXECUTION]: The skill uses shell commands and Python's subprocess.run to perform environment checks, modify system configuration files (sed, cat), and manage Git operations. The automated modification of shell profiles is a persistence-like behavior used for storing credentials.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the "Weekly Report Generation" phase. It reads historical conversation logs (.txt files) from the Git repository and interpolates them into an AI analysis prompt without sanitization or boundary markers. This could allow an attacker to embed malicious instructions in a previous conversation that are later executed when the agent generates a summary.
  • Ingestion points: references/report_generation.md (Step 3: Read Conversation Files) and scripts/git_operations.py (Pulling logs from remote).
  • Boundary markers: Absent. The combined text of all conversations is directly interpolated into the analysis prompt.
  • Capability inventory: The skill has file read/write access and the ability to execute shell commands via git_operations.py.
  • Sanitization: Absent. The skill uses simple regex splitting for formatting but does not escape or validate content for prompt injection patterns.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 16, 2026, 02:28 AM