blog-to-kindle
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The
scripts/send_to_kindle.pyscript constructs AppleScript commands using Python f-strings. Because the variables forsubject,kindle_email, andfile_pathare inserted directly without escaping, a malicious title or filename could execute arbitrary AppleScript code on the host system via theosascriptexecution point. - EXTERNAL_DOWNLOADS (LOW): The
scripts/fetch_blog.pyscript downloads data from external websites and allows for 'custom' user-provided URLs. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection. 1. Ingestion points: External blog content fetched from URLs in
scripts/fetch_blog.py. 2. Boundary markers: Absent; content is converted to markdown and combined without delimiters or safety instructions. 3. Capability inventory: Subprocess calls (pandocandosascript), file system writes, and automated email sending via Mail.app. 4. Sanitization: None; uses BeautifulSoup to extract text but does not sanitize content for embedded LLM instructions. - DATA_EXFILTRATION (MEDIUM): The skill hardcodes a specific delivery destination (
simonpilkington74_8oVjpj@kindle.com) inSKILL.mdandscripts/send_to_kindle.py, which acts as a default for all sent documents.
Recommendations
- AI detected serious security threats
Audit Metadata