im-local-kb
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core functionality of extracting knowledge from external, untrusted IM logs.\n
- Ingestion points: Data enters the system via Markdown files in 'kb/00-chats-input-raw/' and 'kb/01-chats-input-organized/'.\n
- Boundary markers: While Markdown headers and time tags provide logical separation, the skill does not include specific boundary delimiters or system-level instructions for the agent to disregard commands embedded within the chat content.\n
- Capability inventory: The sub-agent 'im-local-db_knowledge-extractor' is equipped with 'write_file' and 'replace' tools, and the main agent scripts can perform various file system operations like rename, delete, and zip.\n
- Sanitization: No explicit sanitization or filtering of the ingested chat messages is performed before they are processed by the LLM.\n- [COMMAND_EXECUTION]: Several Python scripts ('SCRIPT_backup_full.py', 'SCRIPT_normalize_merge.py', 'SCRIPT_extract_knowledge.py') use the 'os', 'shutil', and 'zipfile' libraries to manage the local knowledge base. This includes 'SCRIPT_backup_full.py' deleting older archives for backup rotation and 'SCRIPT_normalize_merge.py' moving processed files using 'os.rename'. These actions are consistent with the skill's management and archiving tasks.
Audit Metadata