book-mirror
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a variety of shell commands including
unzip,find,sort,pdftotext, and a custom CLI toolgbrain book-mirror. It also executes a multi-line Python script passed via a heredoc topython3to process extracted HTML content. - [EXTERNAL_DOWNLOADS]: The skill explicitly instructs the agent to install external Python packages at runtime using
pip3 install beautifulsoup4 lxmlif they are missing. - [DATA_EXFILTRATION]: The skill collects highly sensitive personal information from the user's environment, including
USER.md,SOUL.md, and the last 14 days of daily reflections fromwiki/personal/reflections/. While this data is intended to be used as context for the personalization feature, it represents a significant exposure of private user data to the underlying LLM provider. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It extracts text from untrusted external files (EPUB/PDF books) and processes this content in a high-capability environment that has access to the user's personal history and the ability to write new pages.
- Ingestion points: EPUB and PDF files provided by the user (extracted via
unzipandpdftotext). - Boundary markers: No explicit markers or sanitization are mentioned to distinguish untrusted book content from the personal context pack during the analysis phase.
- Capability inventory: Access to shell commands, Python execution, and the ability to write pages via
put_page(orchestrated by the CLI). - Sanitization: None. The skill relies on the assumption that the
gbrain book-mirrorCLI handles trust narrowing, which is an unverified claim.
Audit Metadata