webnovel-query
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted novel data from the project directory, such as '.webnovel/state.json' and chapter markdown files, which acts as a surface for indirect prompt injection. Attacker-controlled story content or metadata could attempt to override agent instructions during analysis.
- Ingestion points: 'SKILL.md' reads project state via 'cat "$PROJECT_ROOT/.webnovel/state.json"' in Step 3; 'system-data-flow.md' describes the Data Agent's automated extraction of entities and state changes from novel text.
- Boundary markers: None explicitly used; project files are read directly into the agent context.
- Capability inventory: The skill uses 'Bash' and 'Python' to execute logic, and has file system access via 'Read', 'Grep', and 'Bash' tools.
- Sanitization: No sanitization or escaping of ingested novel content is provided in the instructions.
- [COMMAND_EXECUTION]: The skill uses 'Bash' to set environment variables and execute a Python helper script ('webnovel.py') located in the plugin's script directory. These commands are used to resolve the project root and perform analysis on story elements like 'urgency' and 'strand' rhythm. While functional, this involves shell execution with parameters derived from the local workspace.
Audit Metadata