im-wiki-extractor
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/generate_prompt.pyutilizessubprocess.runto call thememoclicommand line tool. This programmatic execution of shell commands is used to fetch tool documentation at runtime. - [COMMAND_EXECUTION]: The instructions provided in
templates/prompt_template.mddirect the agent to dynamically generate a shell script (.shfile) containing multiple commands and then execute that script using the system shell. This pattern of generating and executing code at runtime increases the complexity of security auditing. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted user data (chat logs) and interpolates it into prompts for a sub-agent.
- Ingestion points: Untrusted chat logs are read from the file system by
scripts/generate_prompt.pyandscripts/setup_workspace.py. - Boundary markers: The prompt template uses
<当前的讨论>tags to wrap the data, but it lacks explicit instructions for the agent to ignore or disregard any commands or directives that may be embedded within the processed chat history. - Capability inventory: The agent is granted the capability to execute shell commands and create/run scripts, providing a high-privilege execution environment for any instructions that might be injected via the chat logs.
- Sanitization: The skill does not perform any validation, sanitization, or escaping of the chat content before it is interpolated into the prompt templates.
Audit Metadata