goose-blog-post
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The README instructs users to install the skill from 'https://github.com/block/agent-skills'. The 'block' organization is not included in the predefined list of trusted GitHub organizations, classifying this as an unverifiable external dependency.
- PROMPT_INJECTION (LOW): The skill ingests user-provided 'notes' and 'drafts' to scaffold blog post files and update author configurations. This ingestion point, combined with file-writing capabilities, presents an indirect prompt injection surface where malicious instructions in the input could influence agent behavior.
- COMMAND_EXECUTION (LOW): The documentation includes instructions to run 'npm start' within the repository for local previews.
- NO_CODE (INFO): No executable code or primary logic files (such as SKILL.md) were provided in the analyzed content; findings are based on documentation and templates.
Audit Metadata