readwise-rival
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes python3 -c to run embedded Python logic for file operations and data searching within the ~/.xiaodazi/ directory.
- [PROMPT_INJECTION]: Potential for indirect prompt injection as the skill ingests and processes untrusted text from external sources (highlights).
- Ingestion points: External text (highlights) is stored in JSON files under ~/.xiaodazi/reading/highlights/.
- Boundary markers: No explicit delimiters or instructions are used to separate untrusted data from agent instructions during retrieval or summarization.
- Capability inventory: Includes file system access (read/write) and shell command execution (python3 -c).
- Sanitization: The skill lacks validation or sanitization for the content of highlights before they are re-processed by the LLM for card generation.
Audit Metadata