joplin-publisher
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted external data and possesses significant system capabilities.
- Ingestion points: The
publish_to_joplinandbatch_importfunctions accepttitle,content, andtagsas strings, which typically originate from external sources or previous agent steps. - Boundary markers: Absent. Untrusted content is interpolated directly into markdown files and passed to CLI commands without delimiters or safety instructions.
- Capability inventory: The skill can write to the filesystem (
Path.write_text), delete files (Path.unlink), and execute arbitrary Joplin CLI commands (subprocess.run). - Sanitization: None. Input strings are used directly in file creation and command arguments without validation or escaping.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
subprocess.runto interact with the Joplin CLI. Although it uses a list for arguments (avoiding simple shell injection), the use of user-controlled variables fornotebookandtitlewithout sanitization remains vulnerable to argument injection, where a malicious string starting with a hyphen (e.g.,--some-flag) could alter the CLI command's behavior. - [EXTERNAL_DOWNLOADS] (LOW): The skill requires installing the
joplinCLI via npm (npm install -g joplin). While Joplin is a legitimate tool, global installations from external registries increase the system's attack surface. - [DATA_EXFILTRATION] (LOW): The skill documentation and API examples encourage the use of sensitive data like
token,username, and server URLs. While no credentials are hardcoded, the handling of these secrets within an agent context that processes untrusted markdown presents a risk of exposure.
Recommendations
- AI detected serious security threats
Audit Metadata