llms-txt-support
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process documentation from any website that implements the
llms.txtstandard. This is a primary vector for indirect prompt injection. - Ingestion points:
Step 4usescurlto download content from an arbitraryexample.com(placeholder for user-provided URLs) intodocs/llms.txt. - Boundary markers: Absent. The skill treats the fetched
llms.txtcontent as trusted 'LLM-optimized markdown' without delimiters or warnings to ignore embedded instructions. - Capability inventory: The skill executes
curl,skill-seekers scrape,grep,head, andcp. Thecpcommand writes the untrusted content tooutput/myskill/references/complete.md, potentially influencing future agent actions or other skills. - Sanitization: Absent. Validation in
Step 2only checks for HTTP errors and basic file structure, not for malicious instructions embedded within the markdown content. - Unverifiable Dependencies & Remote Code Execution (HIGH): The skill relies on an external command
skill-seekers(referenced to a non-trusted GitHub repositoryjmagly/Skill_Seekers). - Evidence:
Step 4executesskill-seekers scrape --llms-txt docs/llms.txt. Executing unverified tools on untrusted data fetched from the network is a high-risk pattern. - External Downloads (MEDIUM): The skill performs multiple network requests to arbitrary domains using
curlto probe for and download variousllms.txtvariants. Whilecurl -I(headers only) is low risk, the subsequent download of full content for processing elevates the risk when combined with the lack of sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata