Skills
skills/jwynia/teach/teach-course-builder/Gen Agent Trust Hub

teach-course-builder

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates proposed shell commands for building courses by interpolating data extracted from local markdown files directly into CLI arguments.
  • Evidence: In analyze-sources.ts, functions such as extractTitle and extractDescription pull text directly from the source markdown files. The templates/course-plan.md file then uses these values in deno run command templates (e.g., --title "{{title}}").
  • Impact: If a source document contains shell metacharacters or backticks (e.g., a title containing " && rm -rf / && "), the resulting command string could execute unintended shell operations when run in a terminal.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted local documents and reflects their content into the agent's context and proposed actions.
  • Ingestion points: analyze-sources.ts recursively scans directories and reads all .md files provided as input.
  • Boundary markers: Absent. The skill does not use specific delimiters or provide instructions to the agent to ignore potentially malicious commands embedded within the source documents.
  • Capability inventory: The skill has capabilities to read local files (--allow-read), access environment variables (--allow-env), and perform network requests (--allow-net) via Deno.
  • Sanitization: Absent. The extractTitle and extractDescription functions in analyze-sources.ts do not sanitize or escape extracted content before including it in the course plan or build commands.
  • [DATA_EXFILTRATION]: The skill is designed to send local file content to a network endpoint defined by configuration.
  • Evidence: scripts/add-lesson.ts reads the content of local markdown files and sends it to the API endpoint defined by the TEACH_API_URL environment variable via the apiPost function in scripts/api-client.ts.
  • Impact: While the default configuration targets a local development server (localhost:4100), if the environment variable is manipulated to point to an external domain, the skill would effectively exfiltrate the contents of any processed files to that remote server.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 09:45 AM