knowledge-skill
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The scripts scripts/knowledge_save.py and scripts/knowledge_search.py contain a hardcoded fallback database password ('bili123456') in their database configuration objects. \n- [COMMAND_EXECUTION]: The skill executes system utilities including ffmpeg and yt-dlp via subprocess.run to process content derived from external URLs. It also programmatically executes other local agent skills using the uv run command. \n- [REMOTE_CODE_EXECUTION]: The script scripts/knowledge_save_from_url.py implements a pattern of downloading binary video data from dynamic URLs and immediately processing it with the ffmpeg parser, which represents a potential execution vector if the source content is maliciously crafted. \n- [EXTERNAL_DOWNLOADS]: The skill fetches content from several external sources, including downloading video files from social media CDNs and retrieving web article data via the jina.ai proxy service. \n- [PROMPT_INJECTION]: An indirect prompt injection surface exists in the generate_ai_summary function. \n
- Ingestion points: Untrusted content is fetched from external URLs in scripts/knowledge_save_from_url.py. \n
- Boundary markers: No delimiters or instructions to ignore embedded commands are used in the summary generation prompt. \n
- Capability inventory: The skill has database write access, network API access to SiliconFlow, and local command execution capabilities. \n
- Sanitization: Content is truncated by character count but is not sanitized for malicious instruction patterns.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata