tech-docs-guide
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection because it is designed to ingest and process untrusted external data (technical documents for editing or review).
- Ingestion points: External Markdown files provided for editing, formatting, or review (File: SKILL.md, Execution Flow).
- Boundary markers: None identified. There are no instructions to the agent to ignore embedded commands within the documents being processed.
- Capability inventory: Command execution via
npm run formatand network access via 'web fetch' (Step 2.1, Step 4). - Sanitization: None. The agent is not instructed to sanitize or validate the content of the documents it reads.
- Risk: A malicious document could contain instructions that trick the agent into misusing its command execution or network capabilities.
- [COMMAND_EXECUTION] (MEDIUM): Step 4 of the execution flow explicitly instructs the agent to run
npm run format. This is an arbitrary shell command that depends on the local environment'spackage.jsonconfiguration. In an adversarial context, this script could be modified to perform malicious actions when triggered by the agent. - [EXTERNAL_DOWNLOADS] (LOW): Step 2.1 instructs the agent to "通过 web fetch 最新的相关信息" (fetch the latest relevant information via web). This grants the agent permission to access external, untrusted web content to verify documentation accuracy, which can be used as a vector for data ingestion or potential exploitation.
Recommendations
- AI detected serious security threats
Audit Metadata