doubleword-batch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill encourages the agent to fetch and parse raw markdown documentation from 'docs.doubleword.ai'. This creates a vulnerability to indirect prompt injection if the remote content is compromised or contains adversarial instructions. \n
- Ingestion points: Documentation fetch URLs like 'https://docs.doubleword.ai/batches/getting-started-with-batched-api.md' mentioned in SKILL.md. \n
- Boundary markers: Absent; there are no instructions to the agent to isolate or ignore instructions within the fetched data. \n
- Capability inventory: The skill allows the agent to write files (results.jsonl), perform network requests via 'requests' and 'openai', and execute shell commands via 'npx'. \n
- Sanitization: None provided. \n- [Data Exposure & Exfiltration] (HIGH): Multiple code snippets in SKILL.md include 'YOUR_API_KEY' placeholders. This practice frequently leads to users hardcoding sensitive credentials in cleartext scripts that the agent may then handle or log. \n- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill requires the installation of the 'autobatcher' Python package. This package is managed by an untrusted external entity (doublewordai) and is not part of the trusted whitelist. \n- [COMMAND_EXECUTION] (MEDIUM): The installation instructions utilize 'npx skills add', which executes a remote script to integrate the capability into the agent's environment.
Recommendations
- AI detected serious security threats
Audit Metadata