Skills
skills/mikkelkrogsholm/bookstrap/bookstrap-research/Gen Agent Trust Hub

bookstrap-research

Fail

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: Hardcoded database credentials found in the SurrealDB connection command within the SKILL.md file.
  • Evidence: The command surreal sql --conn http://localhost:2665 --user root --pass root exposes default credentials.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute system-level commands for database management, Python script execution, and Git version control operations.
  • [EXTERNAL_DOWNLOADS]: The skill autonomously searches the web and fetches content from arbitrary external URLs via WebSearch and WebFetch tools to populate the research corpus.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface through its automated ingestion and extraction workflow.
  • Ingestion points: Untrusted data enters the agent context through WebFetch operations on search results found via WebSearch.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are specified for the LLM-based entity extraction process.
  • Capability inventory: The agent has access to Bash execution, filesystem Write access, and WebFetch capabilities, providing multiple vectors for an injection to cause harm.
  • Sanitization: While the documentation mentions stripping JavaScript and active content to prevent traditional web attacks, it lacks sanitization specifically designed to mitigate prompt injection within the processed text.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 16, 2026, 08:06 AM