book-sft-pipeline
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation include instructions for installation using platform-specific plugin commands and managing Python dependencies via pip. It also recommends using shell commands like grep to verify the originality of generated outputs against the training data.
- [EXTERNAL_DOWNLOADS]: The skill links to and utilizes external datasets from Hugging Face and research papers from arXiv. These resources are from established repositories and are necessary for the skill's function.
- [DATA_EXFILTRATION]: The pipeline is designed to work with the Tinker training service, requiring the transmission of training data (JSONL format) to external servers. This data transfer is the core intended functionality of the skill.
- [PROMPT_INJECTION]: The skill ingests untrusted content from ePub files in Phases 1 and 2, which is then used as context for generating training instructions with an LLM in Phase 3. This is an indirect prompt injection surface. (1) Ingestion points: Text extracted from ePub paragraphs in SKILL.md. (2) Boundary markers: No explicit delimiters or instructions are provided to separate the ingested book content from the instruction generation prompt. (3) Capability inventory: The skill has access to remote training APIs and local command execution. (4) Sanitization: While there is no input sanitization, Phase 6 includes originality and style markers verification to evaluate model outputs.
Audit Metadata