wiki-ingest
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions for URL ingestion and delta tracking utilize shell commands with placeholders, specifically
defuddle [url]andmd5sum [file]. Without explicit sanitization directives for the agent, an attacker can provide a maliciously crafted URL or filename containing shell metacharacters (e.g.,https://example.com; id) to execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS]: The skill is designed to fetch content from arbitrary user-provided URLs using the
WebFetchtool. This functionality introduces untrusted data into the agent's environment and serves as the primary vector for indirect prompt injection. - [DATA_EXFILTRATION]: The logic used to derive a 'slug' from URL paths (taking the last segment) is susceptible to path traversal. If a URL contains traversal sequences like
..%2f, the agent may write output files to unauthorized directories outside the intended.raw/orwiki/folders. - [PROMPT_INJECTION]: The skill processes external data from fetched webpages and image OCR without using boundary markers or 'ignore' instructions. This exposes the agent to indirect prompt injection, where malicious instructions embedded in the source documents could manipulate the agent into performing unauthorized actions during the ingestion process.
- Ingestion points: External data enters via
WebFetch(URL Ingestion) and the Read tool (Image Ingestion/OCR). - Boundary markers: None are defined to separate untrusted source content from agent instructions.
- Capability inventory: The skill has the ability to write to the local filesystem (
wiki/,.raw/,.manifest.json) and execute shell commands (bash,defuddle). - Sanitization: There is no evidence of sanitization for ingested text or derived filenames.
Audit Metadata