uv-sun
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches real-time UV monitoring data from the Australian Radiation Protection and Nuclear Safety Agency (ARPANSA) via their public XML feed at
https://uvdata.arpansa.gov.au/xml/uvvalues.xml. This is a trusted government source for environmental safety information. - [COMMAND_EXECUTION]: A dynamic context injection in
SKILL.mdexecutes a shell command (command -v uv) at load time to verify that the requireduvtool is installed in the environment. This is a benign diagnostic check used to ensure the skill can run. - [PROMPT_INJECTION]: The skill processes external data from the ARPANSA feed, which theoretically represents an indirect prompt injection surface.
- Ingestion points: Data is fetched from an external government XML feed and processed in
scripts/uv_sun.py. - Boundary markers: The
SKILL.mdfile defines specific JSON output formats and presentation rules, which help the agent distinguish between data and instructions. - Capability inventory: The skill can execute shell commands via
uv run, perform network requests to the ARPANSA domain, and write to a local cache directory in the user's home folder. - Sanitization: The script parses the XML structure and validates UV index values by casting them to floating-point numbers, though general text fields from the feed are not explicitly sanitized against secondary instructions.
Audit Metadata