wiki
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it ingests and processes content from user-provided markdown files that may contain malicious instructions.
- Ingestion points: External content from source notes is loaded in
src/wikicli/notebook.py(viaNote.load) and is subsequently processed by agent workflows inagents/add.md,agents/search.md, andagents/synthesize.md. - Boundary markers: The skill does not implement explicit boundary markers or instructions to the agent to disregard instructions embedded within the processed notes.
- Capability inventory: The skill possesses the ability to write to the file system (modifying wiki artifacts and source note frontmatter) and explicitly encourages the agent to use file-editing tools to update notebook content based on the information it reads.
- Sanitization: Although strict path normalization is used to prevent directory traversal and ensure operations remain within the notebook root, the skill does not perform any semantic sanitization or filtering of the note content itself.
Audit Metadata