docs-seeker
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The skill instructs the agent to execute
npm install -g repomix. This performs a global installation of an external package from the public npm registry at runtime. While the tool is relevant to the skill's purpose, runtime installation of unpinned packages is a supply-chain risk. - [Command Execution] (MEDIUM): The workflow relies on shell commands including
git clone [repo-url],npm install, andrepomix --output. These operations interact with the local file system and execute external binaries based on user-provided or search-discovered URLs. - [Indirect Prompt Injection] (LOW): The skill's core functionality is to ingest untrusted data from the internet (llms.txt files and codebase content) and process it using LLM agents. This creates a surface for indirect prompt injection where an attacker could place malicious instructions inside documentation files.
- Ingestion points:
WebFetchof documentation URLs andgit cloneof repositories (e.g., Phase 2 and 3). - Boundary markers: Absent. There are no instructions to wrap untrusted content in delimiters or use safety warnings when passing data to sub-agents.
- Capability inventory: File system write access via
git clone, network access viaWebFetch, and the ability to spawn sub-tasks/agents (Explorer,Researcher). - Sanitization: None identified. The skill directly extracts and organizes content for AI consumption.
- [External Downloads] (LOW): The skill prioritizes fetching documentation from
context7.com, a third-party aggregator. While useful for technical documentation, it is an untrusted external source that could serve manipulated content.
Audit Metadata