spark-cli-knowledge-sharing
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the use of the
sparkCLI binary through the Bash tool to perform operations such as querying, retrieving insights, and sharing knowledge. This is the intended functionality provided by the author. - [DATA_EXFILTRATION]: The
spark sharecommand transmits user-generated content (titles, solutions, environment tags) to an external 'knowledge network'. While the skill explicitly instructs the agent to avoid including source code, API keys, or credentials, the mechanism itself is a channel for sending information to external infrastructure. - [PROMPT_INJECTION]: The skill contains instructions that tell the AI to treat external data as higher priority than its own safety training or public knowledge, stating that Spark recommendations 'supersede general training data'. This directive increases the agent's susceptibility to instructions found in the external data.
- [INDIRECT_PROMPT_INJECTION]: The skill demonstrates a vulnerability surface for indirect prompt injection by ingesting and acting upon untrusted data from a remote service.
- Ingestion points: Data is ingested from the Spark network via the output of the
spark queryandspark insightscommands inSKILL.md. - Boundary markers: There are no explicit boundary markers or instructions to treat the retrieved content as data rather than instructions; in fact, the agent is told to treat the content as requirements.
- Capability inventory: The agent has access to the Bash tool and is instructed to perform further CLI operations based on the retrieved IDs and indices.
- Sanitization: No sanitization, filtering, or validation steps are defined to process the JSON or Markdown content returned by the external service before the agent incorporates it into its planning or implementation.
Audit Metadata