ljg-the-one
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute the command
open /tmp/essence-card-{概念名称}.htmlto display the results. - Evidence: Found in Step 5 of
SKILL.md. - Risk: If the variable
{概念名称}is derived from untrusted user input and not properly sanitized, it could potentially lead to command injection attacks. - [EXTERNAL_DOWNLOADS]: The skill's HTML template fetches a third-party JavaScript library from a remote source.
- Evidence:
<script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>inassets/template.html. - Note: Fetches the Mermaid.js library from the JSDelivr CDN, which is a well-known and trusted service for front-end assets.
- [PROMPT_INJECTION]: The skill processes untrusted external data and is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Accepts books, concept descriptions, article URLs, or sentences in Step 1 of
SKILL.md. - Boundary markers: Absent. No explicit delimiters or instructions to ignore embedded commands are present in the prompt structure.
- Capability inventory: The skill performs file system writes to
/tmpand executes theopencommand. - Sanitization: Absent. No evidence of input sanitization or validation for the processed content or the resulting file names.
Audit Metadata