generate-writeup
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to perform multiple shell operations using the
uv runcommand. These commands interpolate variables such as , <pdf_path>, and <presentation_folder>, which are derived from a user-controlled presentation.md file. If the agent executes these strings in a shell without rigorous sanitization, a malicious user could achieve arbitrary command execution by including shell metacharacters in the input file. - [EXTERNAL_DOWNLOADS]: The pipeline involves downloading content from external URLs provided by the user (Slides and Video). This functionality exposes the system to risks associated with processing untrusted remote data and potential SSRF (Server-Side Request Forgery) if the environment can access internal services.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from transcripts and extracted slide text and includes them in the prompt for Step 7.
- Ingestion points: presentation.md, transcript.txt, and slide_ascii.md (derived from slides).
- Boundary markers: Absent. The prompt uses labels like TRANSCRIPT and SLIDE_TEXT but lacks strong delimiters (e.g., random tokens) or instructions for the model to treat the content as data rather than instructions.
- Capability inventory: Subprocess execution via uv run (Steps 1, 2, 3, 5), file system write access (Steps 4, 6, 7, 8, 9), and network access (Steps 1, 3).
- Sanitization: No sanitization of external content is described before interpolation into the prompt.
Audit Metadata