Nia
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read and transmit local file contents and metadata to the Nia service API at apigcp.trynia.ai. This behavior is consistent with the skill's primary stated purpose of indexing local folders for search.
- [PROMPT_INJECTION]: The SKILL.md documentation includes directive headers intended to prioritize Nia's internal search tools over general web access to ensure high-quality context, which is a common workflow optimization for RAG-based skills.
- [EXTERNAL_DOWNLOADS]: Setup instructions recommend using npx to run the nia-wizard from the npm registry, which is a standard procedure for installing necessary vendor-provided configuration tools.
- [DATA_EXPOSURE]: As an indexing tool, the skill processes vast amounts of untrusted external content from repositories and documentation sites. Ingestion points: Untrusted data enters via search.sh, repos.sh, and sources.sh. Boundary markers: No explicit delimiters are used to wrap retrieved external content in the scripts. Capability inventory: The skill environment allows file system reads, network requests to the Nia API, and configuration writes to ~/.config/nia/. Sanitization: Content is structured as JSON using jq for API communication.
Audit Metadata