manabi-ingest
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting untrusted content from external URLs and local files for processing by LLM agents.
- Ingestion points: Transcripts, page text, and external links are extracted from platforms like YouTube, Udemy, Loom, and UTAGE (SKILL.md Phase A).
- Boundary markers: The instructions do not define delimiters or specific 'ignore' instructions for the ingested text when it is passed to agents like concept-extractor or visual-indexer.
- Capability inventory: The skill's environment includes the ability to download files, execute shell commands, and write new executable skills to the ~/.claude/skills/ directory.
- Sanitization: There is no evidence of sanitization or content validation before the data is processed by subsequent models.
- [COMMAND_EXECUTION]: The skill specifies the use of
bypassPermissionsmode for background agents performing knowledge extraction and indexing. This suppresses user confirmation for the agent's actions, which could be leveraged if the agent is influenced by malicious instructions embedded in the ingested course content. - [COMMAND_EXECUTION]: The skill includes a 'Skill Synthesis' feature (Phase B Level 3) that generates and installs new executable skills into the user's skill directory based on content analyzed from untrusted sources. This allows untrusted input to influence the generation of executable code, although the skill does include a mandatory human-in-the-loop approval step for the generated plan.
- [EXTERNAL_DOWNLOADS]: The skill automates the downloading of video and resource files from several external platforms. While the identified platforms (YouTube, Udemy, Loom, Notion) are well-known services, the content retrieved from them is treated as untrusted data that drives the skill's automated code-generation pipeline.
Audit Metadata