reading-cloze-builder
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the execution of a local Python script (
scripts/build_output.py) to concatenate and format the final worksheet. This provides a functional surface for file system interactions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted text from user-provided articles (
article.md) and processes them through several reasoning steps without using delimiters or instructions to ignore embedded commands. An attacker could embed instructions within an article to divert the agent's behavior. - Ingestion points: The
article.mdfile and user-provided reading passages are read directly into the agent's context. - Boundary markers: None. The prompts in
assets/day_test_template_v2.mddo not include 'ignore embedded instructions' warnings or data delimiters. - Capability inventory: The skill can execute Python scripts and perform file read/write operations via
scripts/build_output.py. - Sanitization: There is no evidence of input validation or sanitization for the content of the source article before it is processed by the AI or the script.
- [DATA_EXFILTRATION]: While no network exfiltration is present, the script
scripts/build_output.pyreads file paths provided via command-line arguments. If the agent is manipulated via prompt injection, it could be coerced into reading sensitive local files (e.g.,.envor configuration files) and writing their content into the public-facingcompleted.mdoutput.
Audit Metadata