zhihu-html
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it extracts context from untrusted Markdown files (
extract-refs.mjs) to be processed by an AI agent. While an attacker could attempt to embed malicious instructions in the Markdown to influence the AI's generation of reference metadata, the impact is low due to robust sanitization in the final script. - Ingestion points:
extract-refs.mjsreads user-controlled content from Markdown files provided via the--inputargument. - Boundary markers: The data is transferred via a structured JSON format, but the text extracted from the Markdown does not utilize specific boundary delimiters to isolate it from the AI's instructions.
- Capability inventory: The skill scripts are limited to local file system read/write operations and do not possess network access or the ability to execute arbitrary shell commands.
- Sanitization: The
apply-refs.mjsscript implements anescapeAttrfunction that correctly sanitizes the AI-generateddataTextvalues (escaping &, ", <, and >) before inserting them into the final HTML document, preventing the AI from breaking out of the attribute context.
Audit Metadata