message
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
markdownPython package via pip for its assembly process.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to the lack of content sanitization.\n - Ingestion points: The
assemble.pyscript reads user-influenced content from.fragment.mdand.fragment.htmlfiles located in thedata/writing/email_drafts/directory.\n - Boundary markers: No delimiters or boundary instructions are present to prevent the agent or the browser from interpreting malicious instructions or scripts embedded within the fragments.\n
- Capability inventory: The skill can launch a local HTTP server (
preview-server.py) and execute shell commands to manage the assembly process.\n - Sanitization: Fragment content is directly injected into the
shell.htmltemplate using string replacement without any escaping or sanitization, making it vulnerable to XSS when viewed in the preview server.\n- [COMMAND_EXECUTION]: The assembly script executespreview-server.pyusingos.execvpto provide a background preview service for the generated drafts.
Audit Metadata