dendron
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill discloses an absolute local directory path: /Users/kevinlin/code/dendron-lite/prisma/schema.prisma. This reveals the author's local system username and file organization.
- [COMMAND_EXECUTION]: The skill utilizes shell-based utilities such as 'sqlite3', 'rg' (ripgrep), and 'find'. These tools can be vulnerable to command injection if user-provided search terms or file paths are not properly escaped before being passed to the shell.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface with the following details:
- Ingestion points: Reads markdown files from the local filesystem and markdown content from the 'raw' field of a SQLite database.
- Boundary markers: There are no delimiters or markers instructed to separate untrusted note content from agent instructions.
- Capability inventory: The skill can execute shell commands and write markdown files to the local filesystem.
- Sanitization: While the skill mentions using parameterized queries for SQL, it does not describe any sanitization or validation of the markdown content retrieved from the database or filesystem before it is processed by the agent.
Audit Metadata