cn-holiday
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs HTTP GET requests to https://timor.tech/api/holiday to fetch holiday and workday information.
- [COMMAND_EXECUTION]: The skill is intended to be executed as a CLI tool using the bun runtime via the scripts/holiday.ts entry point.
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection. 1. Ingestion points: Holiday data is fetched from the timor.tech API in scripts/lib/http.ts. 2. Boundary markers: The skill does not implement delimiters or instructions to ignore embedded commands in the API response. 3. Capability inventory: The skill has the capability to perform network requests and local command execution. 4. Sanitization: While input flags like dates and years are strictly validated against regex patterns and ranges in scripts/lib/validators.ts, the skill does not sanitize the text content returned by the API before providing it to the agent context.
Audit Metadata