Skills
skills/2234839/siyuan-notes-skill/siyuan-notes/Gen Agent Trust Hub

siyuan-notes

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to the ingestion of untrusted data from user notes.
  • Ingestion points: User-generated note content is retrieved via searchNotes, getBlockByID, and executeSiyuanQuery in index.js and returned to the agent context.
  • Boundary markers: The skill does not implement delimiters or 'ignore embedded instructions' warnings when presenting note content to the agent.
  • Capability inventory: The skill has network access via node-fetch and local file system access (read/write/delete) in the .tmp directory via the fs module.
  • Sanitization: Minimal sanitization is performed (e.g., basic HTML tag removal in searchNotes), but no filtering exists to prevent embedded instructions in the notes from influencing the LLM.
  • [COMMAND_EXECUTION]: The skill allows the agent to execute arbitrary SQL statements on the Siyuan Note database.
  • Evidence: The executeSiyuanQuery function in index.js takes a raw SQL string and passes it directly to the Siyuan API's /api/query/sql endpoint. While intended for querying, this represents a high-privilege interface to the note database.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data and assets from external or local network sources.
  • Evidence: It communicates with a Siyuan Note server via HTTP/HTTPS. The getLocalAssetPath function in index.js downloads binary assets (images, attachments) from the note server and stores them in a local .tmp/assets directory for agent processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 04:41 PM