note-writer
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [Command Execution] (MEDIUM): The skill workflow (SKILL.md) and reference guides (categories.md, linking.md) rely on executing shell commands such as
grep,find, andln -sto search for existing notes and manage the project structure. - [Data Exposure] (MEDIUM): The input analysis phase (SKILL.md) explicitly instructs the agent to read content from user-provided 'file paths'. An adversary could provide paths to sensitive local files (e.g.,
~/.ssh/id_rsa,.env) to have the agent summarize or expose their contents. - [Dynamic Execution] (MEDIUM): The skill creates symbolic links using
ln -swith paths derived from category and topic names. Maliciously crafted names containing path traversal sequences (e.g.,../../) could potentially be used to link sensitive system directories into the agent's workspace. - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from URLs (via WebFetch) and files. Instructions embedded within these external sources could attempt to influence the agent's output or note-writing behavior.
- Ingestion points: SKILL.md (Workflow Step 1) mentions 'WebFetch' for URLs and reading content from file paths.
- Boundary markers: None identified in the provided templates; external content is processed directly.
- Capability inventory: Shell execution (
grep,find,ln -s), file system read/write, and network access (WebFetch). - Sanitization: No explicit sanitization or validation of the input 'file paths' or URL content is described.
Audit Metadata