book2skill
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection due to its core function of processing untrusted external book text to generate executable AI skills.
- Ingestion points: Processes user-provided book files in various formats (PDF, EPUB, TXT) across multiple stages of the RIA-TV++ pipeline.
- Boundary markers: While the methodology limits quotes to 150 words, there are no robust XML-style delimiters or explicit "ignore embedded instructions" warnings in the sub-agent extractor prompts to prevent book content from hijacking the extraction logic.
- Capability inventory: The workflow spawns multiple sub-agents using agent tools and performs write operations to the local filesystem to create new executable skill files (
SKILL.md). - Sanitization: The prompts lack explicit instructions to sanitize extracted text or to disregard instructions found within the source material that might target the agent's behavior.
- [EXTERNAL_DOWNLOADS]: The documentation references and encourages integration with external third-party tools (
nuwa-skill,darwin-skill) and provides links to several external GitHub repositories for pre-generated skill packs. While these are associated with the skill's author, they represent an external dependency chain. - [NO_CODE]: The skill consists entirely of instructional prompts and templates. It does not include or execute traditional scripts (e.g., Python or Shell) but functions by generating new instructional code for the agent to execute in future sessions.
Audit Metadata