learn-this
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Bash to manage a complex content extraction pipeline, executing CLI tools like yt-dlp, curl, reader, trafilatura, and pdftotext. It performs file operations such as moving and deleting temporary files (mv, rm) and uses file redirection to store extracted data locally.
- [EXTERNAL_DOWNLOADS]: The skill includes logic to automatically install dependencies on the host system. It specifically attempts to execute 'brew install yt-dlp' if the tool is not detected. It also mentions and suggests the installation of other third-party tools via npm and pip.
- [REMOTE_CODE_EXECUTION]: The skill processes data from remote URLs by piping the output of curl directly into embedded Python scripts (python3 -c). While the Python scripts are statically defined in the skill, this pattern of feeding raw remote data into an interpreter constitutes a known security risk.
- [PROMPT_INJECTION]: There is a high surface area for indirect prompt injection as the skill's primary function is to ingest and process untrusted content from the internet. Ingestion points include YouTube transcripts, web articles, and PDF text retrieved from user-provided URLs. The skill lacks explicit boundary markers or instructions to the LLM to ignore potentially malicious directions embedded in the extracted content before it is passed to the action planning stage. Sanitization is limited to filename character stripping and does not validate the core content.
Audit Metadata