kb-harvest
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill allows the agent to read content from "arbitrary local directories" and "sibling repos." While it excludes common folders like .git/ and node_modules/, it does not explicitly prevent access to sensitive user configuration files such as ~/.ssh/ or .env files. If a user or malicious instruction provides a path to these sensitive files, the skill would "harvest" and "distill" their contents into the project's knowledge base, potentially exposing credentials.- [EXTERNAL_DOWNLOADS]: The skill utilizes a tool to fetch and retrieve content from arbitrary, user-provided web URLs.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external sources and instructs the agent to convert that data into "actionable rules in imperative voice."
- Ingestion points: External web URLs (retrieved via tool) and local/sibling repository files (retrieved via file tools).
- Boundary markers: The skill incorporates a human-in-the-loop verification step using a confirmation prompt before writing any content to the disk.
- Capability inventory: The skill has read access to the local file system and web, and write access to the project's documentation files.
- Sanitization: The skill includes a rule to strip authentication tokens from fetched URLs, but lacks logic to sanitize the content for malicious instructional patterns embedded in the source text.
Audit Metadata