advisory-board
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute a system command ('open') to launch a generated HTML file on the host machine. Evidence: '生成完成后,自动用 open 命令在浏览器中打开'.
- [REMOTE_CODE_EXECUTION]: The skill dynamically generates a standalone HTML document containing inline CSS and JavaScript based on user input and retrieved file data. This constitutes dynamic code generation that is automatically executed in the user's browser environment, creating a path for Cross-Site Scripting (XSS) or localized code execution. Evidence: 'Phase 6: HTML 可视化报告... CSS 和 JS 全部内联'.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from business topics and local files.
- Ingestion points: User-provided topics and files in the '00-我/' directory.
- Boundary markers: No delimiters or ignore instructions are used during data interpolation.
- Capability inventory: The skill has 'Write' access to the filesystem and the ability to execute commands via 'open'.
- Sanitization: No validation or escaping is performed on the ingested content before it is processed or included in reports.
- [DATA_EXFILTRATION]: The skill accesses sensitive personal information in local directories such as '00-我/profile/core_values.md' and '00-我/goals/active_goals.md'. While intended for providing context, this data is integrated into generated reports, posing a risk of data exposure if the agent's instructions are manipulated. Evidence: '主持人应检索 00-我/ 目录... profile/core_values.md'.
Audit Metadata