tapestry
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automatically executes
brew installto install system packages likeyt-dlpif they are not detected. This modifies the host system environment without explicit user confirmation or a separate setup phase. - [COMMAND_EXECUTION]: The skill uses shell scripts to process user-provided URLs directly in commands such as
curl,yt-dlp, andreader. There is no evidence of shell escaping or sanitization for the$URLvariable, which could lead to command injection if a malicious URL (e.g., containing backticks or semicolons) is provided. - [EXTERNAL_DOWNLOADS]: The skill downloads content from arbitrary user-provided URLs using
curl,yt-dlp, and other tools. While this is the primary purpose of the skill, it creates a vector for interacting with malicious servers. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from external sources (YouTube transcripts, web articles, PDFs) and passes this content to the
ship-learn-nextskill to create an action plan. If the source content contains malicious instructions designed to manipulate the agent, the agent may follow them during the planning phase. - Ingestion points: Content extracted from URLs and saved to
.txtfiles in Step 2. - Boundary markers: None. The content is read directly from the file into the planning context.
- Capability inventory: The skill has
Bash,Read, andWritepermissions, allowing it to execute system commands and modify files based on the generated plan. - Sanitization: None. The script performs basic HTML/text cleaning for formatting but does not filter for instructional content.
Recommendations
- AI detected serious security threats
Audit Metadata