hosting-karakeep
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous instructions involving the use of sudo to manage systemd services, Podman containers, and custom update scripts.
- Evidence: Commands like "sudo systemctl start podman-karakeep.service", "sudo karakeep-update", and "sudo podman logs" are explicitly listed in SKILL.md and troubleshooting.md for operational tasks.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function is to archive and process external web content, which could contain malicious instructions for the agent.
- Ingestion points: Web pages fetched by the "karakeep-chrome" container for archiving (SKILL.md).
- Boundary markers: No specific markers or instructions are provided to the agent to distinguish between its own system instructions and archived content when reading or summarizing data.
- Capability inventory: The skill has access to administrative system commands (sudo) and local file systems, which could be targeted by successful injection.
- Sanitization: The documentation explicitly mentions removing Content Security Policy (CSP) headers in the Caddy configuration to resolve rendering issues, which reduces protection against cross-site scripting (XSS) in the archive view (troubleshooting.md).
Audit Metadata