quip-to-gitlab-wiki
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Python and shell scripts use system utilities like
curl,git,ffmpeg, andfile. These operations are performed using secure patterns, such as passing arguments as lists tosubprocess.runand validating inputs to prevent shell injection. - [EXTERNAL_DOWNLOADS]: The conversion script downloads content and media assets from Quip's platform APIs (e.g., quip-amazon.com). The connections are restricted to HTTPS and validated to prevent protocol-based attacks.
- [PROMPT_INJECTION]: The skill processes document content from external sources, presenting an indirect prompt injection surface.
- Ingestion points: HTML content is retrieved from the Quip API in
scripts/quip-to-markdown.py. - Boundary markers: No explicit delimiters are used in the generated markdown output to isolate potentially adversarial instructions.
- Capability inventory: The skill uses
subprocess.runfor media processing and file writing. - Sanitization: Content is converted to markdown via
html2text, but lacks semantic filtering to prevent prompt-based attacks. - [SAFE]: Sensitive tokens are managed via environment variables and passed to subprocesses using secure methods (e.g., curl's stdin config) to prevent exposure in process monitoring tools.
- [SAFE]: The code includes dedicated path traversal checks (
sanitize_path) to ensure that asset downloads and file generation remain within the user-specified directory.
Audit Metadata