xlb-topic-index
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted external content (Markdown and HTML) to build its index, which could contain malicious instructions designed to influence the agent's behavior. Evidence Chain: 1. Ingestion points:
scripts/retrieve-topic-index.shandscripts/fetch-topic-index.shingest raw data into thecache/directory. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands were found in the provided scripts. 3. Capability inventory: The skill can execute local shell commands, perform network requests via curl, and open arbitrary URLs in local applications (browsers or ChatGPT Atlas). 4. Sanitization: No sanitization or filtering logic is present in the shell scripts, though it might reside in the missingxlb_rag_pipeline.pyfile. - Command Execution (LOW): The skill relies heavily on shell script execution and dynamic command routing. Specifically, the variable
XLB_EXTERNAL_ROUTE_CMDinscripts/retrieve-topic-index.shallows the execution of an arbitrary command string provided via the environment. - External Downloads (SAFE): The skill includes a prefetch mechanism for web content, but it is protected by a network confirmation gate (
XLB_NETWORK_CONFIRMED), ensuring network actions only occur when explicitly permitted. - Missing Component (LOW): The core logic file
scripts/xlb_rag_pipeline.pyis frequently called but was not provided, preventing a comprehensive audit of the data processing and sanitization logic.
Audit Metadata