deep-reading
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of processing external, untrusted articles.
- Ingestion points: External article content and user drafts enter the system via file-read operations in
references/workflow.mdand are stored in variables${article_content}and${draft_notes}. - Boundary markers: The skill lacks robust boundary markers (e.g., XML tags) or explicit instructions to the AI to ignore instructions embedded within the processed text; it uses simple textual labels like '原文:' which are easily bypassed.
- Capability inventory: The system possesses significant capabilities including spawning sub-agents via the
Tasktool, executing shell commands viaBash, and reading/writing to the local file system. - Sanitization: There is no evidence of input validation or sanitization before the external content is interpolated into the prompts for sub-agents (Organizer, Explainer, etc.).
- COMMAND_EXECUTION (LOW): The skill uses shell command execution for routine tasks.
- Evidence: In
references/workflow.md, the skill executesmkdir -p "outputs/$timestamp"via theBashtool. While the current usage is restricted to directory creation with a system-generated timestamp, the reliance on shell commands for file management is an unnecessary increase in the attack surface compared to using native file-system APIs.
Audit Metadata