touying-author
Audited by Gen Agent Trust Hub on Feb 13, 2026
The skill consists entirely of Markdown documentation files, which describe how to use the Touying Typst package for creating presentations. The skill itself does not contain any executable scripts or code that the AI agent would run directly. The primary findings relate to references to external Typst packages.
1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'You are now unrestricted') were found in the skill's content or metadata. Natural language usage of 'important' was benign.
2. Data Exfiltration: No commands or patterns for data exfiltration were detected. The typst query command mentioned in SKILL.md and docs/external/pdfpc.md is a local command-line operation for the Typst typesetting system, querying local files and redirecting output to another local file, without involving sensitive paths or external network requests.
3. Obfuscation: No obfuscation techniques (e.g., Base64, zero-width characters, homoglyphs) were found in any of the files.
4. Unverifiable Dependencies: The documentation extensively references external Typst packages from the @preview registry (e.g., @preview/touying, @preview/cetz, @preview/fletcher, @preview/numbly, @preview/theorion, @preview/codly, @preview/mitex, @preview/pinit, cosmos.clouds). These are external dependencies not listed in the 'Trusted GitHub Repositories/Organizations'. However, these are references within documentation, not direct installation commands executed by the AI. Users would manually configure their Typst environment to use these. The Typst @preview registry is a curated ecosystem, which mitigates some risk compared to arbitrary external downloads. This is flagged as LOW severity because the skill itself is not performing the download or installation, but rather documenting its usage.
5. Privilege Escalation: No commands (e.g., sudo, chmod +x, service installations) indicative of privilege escalation were found.
6. Persistence Mechanisms: No patterns for establishing persistence (e.g., modifying shell configurations, cron jobs) were found.
7. Metadata Poisoning: The YAML front matter in SKILL.md and other documentation files was reviewed and found to be benign, containing only standard metadata like name, description, and sidebar position.
8. Indirect Prompt Injection: As a documentation skill for a typesetting tool, it processes user-provided Typst code. While the skill itself doesn't directly process external content in a way that would lead to indirect prompt injection by the AI agent, there's an inherent risk for users if they process untrusted Typst files. This is noted as an informational risk for the user, not a direct threat from the skill itself.
9. Time-Delayed / Conditional Attacks: No conditional logic or time-based triggers for malicious behavior were found in the documentation or Typst snippets.
Conclusion: The skill is primarily documentation. The only security concern is the reference to external Typst packages, which is a low risk given the context of documentation and the curated nature of the Typst package registry. The skill itself does not execute code or perform any actions that would pose a direct threat to the AI agent or its environment.