Skills
skills/aigne-io/doc-smith-skills/doc-smith-build/Gen Agent Trust Hub

doc-smith-build

Pass

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to be executed as a Node.js script (scripts/build.mjs) to transform Markdown files into a static website. It performs file system operations including reading content, creating directories, and writing HTML and JavaScript files.
  • [EXTERNAL_DOWNLOADS]: The skill uses several standard third-party libraries from the NPM registry, such as markdown-it, gray-matter, and yaml. These are managed via package.json and are necessary for the skill's stated purpose of document processing.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and processes Markdown and YAML files to generate the final documentation site.
  • Ingestion points: Markdown (.md) files and YAML configuration files (e.g., document-structure.yaml, config.yaml) located within the workspace directory.
  • Boundary markers: There are no explicit delimiters or specific instructions to the agent to ignore embedded commands within the processed documentation files.
  • Capability inventory: The build script utilizes the node:fs module to perform file system writes (writeFile), directory creation (mkdir), and file copying (copyFile) within the specified output path.
  • Sanitization: The skill mitigates common web vulnerabilities by configuring markdown-it with html: false to prevent raw HTML injection and by using a custom escapeHtml utility and textContent based escaping in the generated navigation script.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 23, 2026, 03:59 AM