qiaomu-info-card-designer
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow in SKILL.md includes shell script templates that incorporate user-provided URLs (e.g.,
paper_id=$(echo "$url" | grep ...)andcurl -sL "{url}"). This presents a command injection risk if the agent does not properly sanitize input before execution in a shell environment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches external content using third-party proxies (r.jina.ai, defuddle.md) and instructs the agent to install Python packages (playwright, Pillow, numpy) and browser binaries at runtime.\n- [REMOTE_CODE_EXECUTION]: The skill generates HTML files from untrusted web content and renders them using Playwright. This execution environment has access to the local filesystem via file:/// URIs (used for local fonts), which could be exploited by malicious scripts in the fetched content to access sensitive local files.\n- [DATA_EXFILTRATION]: User-provided URLs are transmitted to external third-party services (r.jina.ai, defuddle.md) for content extraction. This involves sending potential private or internal URLs to external infrastructure.\n- [PROMPT_INJECTION]: The skill fetches untrusted data from URLs and processes it to summarize key findings, creating a surface for indirect prompt injection.\n - Ingestion points: External URLs provided by the user in SKILL.md Step 0.\n
- Boundary markers: Absent; the skill does not specify delimiters or instructions to the agent to treat fetched content as untrusted data.\n
- Capability inventory: Shell execution (curl), filesystem access (/tmp, ~/Downloads), and headless browser rendering (playwright).\n
- Sanitization: Absent; the skill lacks explicit instructions to sanitize or escape web content before it is processed by the agent or rendered in the browser.
Audit Metadata