typst
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates data-driven document generation by loading external data sources (JSON, CSV, YAML) and processing command-line inputs (sys.inputs). This introduces a surface for indirect prompt injection where instructions hidden within the external data might influence the agent's behavior during the compilation or generation process.\n
- Ingestion points: Described in
references/data-driven.mdusing thejson(),csv(), andyaml()functions.\n - Boundary markers: No specific delimiters or boundary markers are implemented in the document templates to isolate untrusted data from document logic.\n
- Capability inventory: The skill utilizes
typst compilefor rendering and interacts with image-generation MCP tools likegemini-generate-image.\n - Sanitization: No explicit sanitization, escaping, or validation of content from external data fields is demonstrated in the provided examples.\n- [COMMAND_EXECUTION]: The skill provides standard command-line patterns for Typst compilation, batch processing via shell scripts, and Python virtual environment management using
uv. These operations are directly related to the skill's primary function of document production.\n- [EXTERNAL_DOWNLOADS]: References numerous packages from the official Typst Universe registry (@preview). These dependencies are well-known within the ecosystem and the skill references specific versions, which is a secure practice.
Audit Metadata