graphify
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the installation of the
graphifyypackage from PyPI. There is a naming discrepancy between the tool's common name ('graphify') and the requested package name ('graphifyy'), which can be a sign of typosquatting or an unofficial distribution. - [COMMAND_EXECUTION]: The skill utilizes
graphify install [platform]commands for a wide range of assistants (Claude, Cursor, Gemini, Copilot, etc.). These commands likely modify local application configurations or install hooks/plugins, which constitutes a persistence-like mechanism and environment modification. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8):
- Ingestion points: The tool ingests untrusted external data via
graphify add <URL>and by scanning local codebase files (code, docs, PDFs, media). - Boundary markers: There are no instructions provided to the agent to use delimiters or ignore instructions embedded within the processed files or URLs.
- Capability inventory: The skill has access to
Bash,Read,Write,Grep, andGlobtools, and provides Python snippets that utilize thepathlibandgraphifymodules to generate reports and HTML visualizations. - Sanitization: No sanitization or validation of the ingested external content is mentioned before it is processed into the
GRAPH_REPORT.mdorgraph.jsonfiles which the agent subsequently reads. - [ADVERSARIAL_CONTEXT]: There is a mismatch between the provided author context ('akillness') and the repository/package source ('safishamsi/graphify'). The repository and package are hosted under an account that does not align with the vendor identity provided in the system context.
Audit Metadata