anki
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection through the ingestion of untrusted data from the user's local Anki database.
- Ingestion points: The
scripts/list_cards.pyfile retrieves existing card content fromhttp://localhost:8765(AnkiConnect). - Boundary markers: No delimiters or 'ignore embedded instructions' warnings are used when displaying retrieved card content to the agent. The script prints raw field values directly to stdout.
- Capability inventory: The skill possesses write capabilities (creating new cards via
create_card.py) and operates within a shell context where the agent can execute commands. - Sanitization: There is no evidence of sanitization or filtering of the retrieved data. Raw strings from Anki are passed directly to the agent's context.
- Dynamic Execution (LOW): The
SKILL.mdfile explicitly instructs the agent to usepython -cfor deck discovery. While the specific code provided is benign, reliance on runtime execution of generated strings is a risk factor if the parameters are ever sourced from untrusted data. - Network Operations (INFO): The skill performs network requests to
localhost:8765. This is the intended behavior for interacting with AnkiConnect and does not represent an exfiltration risk under normal circumstances, but it does establish a communication channel to a local service.
Recommendations
- AI detected serious security threats
Audit Metadata