karpathy-kb
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill orchestrates the use of external tools like
firecrawlandtweetsmash-apito scrape web content and fetch bookmark data. While this is the intended purpose for building the knowledge base, it involves fetching data from arbitrary external URLs. - [COMMAND_EXECUTION]: The skill provides and executes local scripts:
new-topic.sh(Bash) andlint-wiki.py(Python). new-topic.shusessedto interpolate variables (TITLE,DOMAIN) into template files. These variables are not escaped forseddelimiters, which could lead to command failure or unexpected file modification if special characters are used in the topic title.lint-wiki.pyperforms file system operations (reading markdown files) to validate wikilinks and source references.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its core workflow involves ingesting untrusted data from the web and feeding it into the LLM's context for compilation into wiki articles.
- Ingestion points: Web content scraped via
firecrawland bookmark clusters fromtweetsmash-apiare saved as markdown files in theraw/directory. - Boundary markers: The skill uses YAML frontmatter to separate metadata, but lacks explicit instructions or delimiters to prevent the LLM from obeying instructions embedded within the scraped source text.
- Capability inventory: The agent has the ability to write files to the local directory structure and execute shell/python scripts for maintenance.
- Sanitization: No sanitization or content filtering is performed on the ingested raw sources before they are loaded into the context for the compilation phase.
Audit Metadata