Skills
skills/danielmiessler/personal_ai_infrastructure/Parser/Gen Agent Trust Hub

Parser

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It is designed specifically to ingest and analyze untrusted data from external URLs, transcripts, and documents.
  • Ingestion points: Data enters the context via URLs processed in lib/parser.ts and through various content extractors in the Workflows/ directory (YouTube transcripts, PDF text, article HTML).
  • Boundary markers: Prompts in the Prompts/ directory (e.g., entity-extraction.md, summarization.md) use triple-quote (""") delimiters to wrap external content. While present, these are insufficient to prevent a determined adversarial injection embedded in the processed content.
  • Capability inventory: The skill possesses the ability to execute shell commands (yt, pdftotext, pdfinfo, curl), write files to the local file system (Bun.write, fs.writeFile), and perform local network requests.
  • Sanitization: No significant sanitization or instruction-filtering is performed on the content before it is interpolated into the LLM prompts.
  • COMMAND_EXECUTION (MEDIUM): Multiple workflows (e.g., ExtractYoutube.md, ExtractPdf.md, ExtractBrowserExtension.md) instruct the agent to execute shell commands using external utilities.
  • Evidence: Use of yt --transcript, pdftotext, pdfinfo, unzip, and curl for downloading and processing files. While the current implementation in lib/parser.ts contains placeholders, the workflows explicitly direct the agent to perform these actions, which could be exploited if an attacker can manipulate filenames or URL structures.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill automatically downloads remote files for analysis.
  • Evidence: ExtractPdf.md downloads PDF files via curl. ExtractBrowserExtension.md fetches browser extension CRX files from Google's servers. While the sources described are often trusted (e.g., Google, ArXiv), the skill acts as a bridge for remote content to reach the local system's utilities.
  • DATA_EXFILTRATION (LOW): The skill performs automated network requests to localhost:8888/notify for 'voice notifications'.
  • Evidence: Every workflow in SKILL.md and the Workflows/ directory begins with a mandatory curl command to a local server. While targeting localhost reduces the risk of remote exfiltration, it represents an automated side-channel for internal data flow.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:46 AM