summarize
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted external data and interpolates it into an AI prompt for summarization.
- Ingestion points: The
to-markdown.mjsscript reads content from arbitrary URLs or local files provided via command-line arguments. - Boundary markers: Although the script uses
--- BEGIN DOCUMENT ---and--- END DOCUMENT ---delimiters, these are easily bypassed by malicious content that includes these markers to prematurely terminate the block. - Capability inventory: The skill can execute system commands (
uvx,pi) and write files to the local disk viawriteFileSync. - Sanitization: No sanitization or filtering is performed on the ingested document content or the user-provided context prompt before interpolation into the prompt sent to the summarizer.- [DATA_EXFILTRATION]: The skill can read arbitrary local files and transmit their contents to an external AI service.
- Evidence: The script accepts any file path as input and uses
markitdownto extract its text, which is then passed to thepitool (an external LLM interface). This could be exploited to expose sensitive data like SSH keys or configuration files if the agent is directed to process them.- [COMMAND_EXECUTION]: The skill usesspawnSyncto execute external command-line tools with arguments derived from user input. - Evidence: The
runMarkitdownandsummarizeWithPifunctions into-markdown.mjsspawn subprocesses foruvxandpi. While the use of argument arrays prevents standard shell injection, the skill relies on the security of the underlying tools when handling untrusted paths and strings.
Audit Metadata