learn-this
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell variables derived from external sources (such as YouTube video titles and article headers) to generate filenames and execute commands. While basic character replacement (
tr) is used, it may not be sufficient to prevent command injection or path traversal if a malicious title contains shell-sensitive characters that are not filtered. - [EXTERNAL_DOWNLOADS]: The skill performs automated installation of third-party tools (e.g.,
brew install yt-dlp) and suggests manual installation of others (poppler,reader,trafilatura). This pattern executes code from external package managers at runtime. - [REMOTE_CODE_EXECUTION]: The skill utilizes
python3 -cto run inline Python code that processes untrusted data. If the shell interpolation into these Python snippets is handled incorrectly, it could lead to arbitrary code execution within the Python interpreter. - [PROMPT_INJECTION]: The skill represents a significant indirect prompt injection surface.
- Ingestion points: Data is ingested from user-provided URLs via
curl,yt-dlp, and various scrapers inSKILL.md. - Boundary markers: There are no clear boundary markers or instructions to the agent to disregard instructions found within the extracted content before it is passed to the planning stage.
- Capability inventory: The skill has access to
Bash,Read, andWritetools, allowing it to execute system commands and modify the filesystem. - Sanitization: Filenames undergo basic character substitution, but the actual content of the articles/transcripts is not sanitized before being analyzed by the LLM to create action plans.
- [DATA_EXFILTRATION]: The skill uses
curlto fetch content and headers from arbitrary URLs. This could be leveraged for SSRF (Server-Side Request Forgery) to access internal network services or cloud metadata endpoints.
Audit Metadata