linkding
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains forceful directives (e.g., 'MANDATORY SKILL INVOCATION', 'YOU MUST invoke this skill', 'Failure... violates your operational requirements') that attempt to override the agent's default tool-selection logic and autonomous reasoning.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data.
- Ingestion points: User-supplied URLs, titles, descriptions, and tags entering the agent context via the create and update commands in
scripts/linkding-api.sh. - Boundary markers: Absent; user-provided metadata is incorporated into API payloads without explicit delimiters or warnings to ignore embedded instructions.
- Capability inventory: Network access to the Linkding API via curl and execution of local shell scripts.
- Sanitization: The skill uses jq to properly encode data for JSON payloads and URL parameters, which prevents command and JSON injection but does not mitigate the risk of the LLM following instructions embedded within the text data.
- [COMMAND_EXECUTION]: The skill executes local shell scripts (
scripts/linkding-api.sh) using the zsh-tool. It implements strong defensive measures by usingset -euo pipefailand jq for safe argument handling, which mitigates the risk of traditional command injection. - [DATA_EXFILTRATION]: The skill performs network operations to a user-configured Linkding server. It follows secure practices for handling sensitive data by instructing the user to store the API token in a local .env file with restricted permissions (chmod 600) rather than hardcoding credentials.
Audit Metadata