quark-download
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script (
scripts/quark_search.py) to manage its core functional workflow, including environment checks, search queries, and local application control. - [EXTERNAL_DOWNLOADS]: The skill communicates with external APIs including
s.panhunt.com(PanSou API) for resource discovery anddrive-pc.quark.cn(official Quark API) for share validation and file listing. - [DATA_EXFILTRATION]: User-provided search keywords are sent to the external PanSou API service to retrieve resource links. This is a functional requirement and does not involve sensitive system data.
- [PROMPT_INJECTION]: The skill processes untrusted search results from external APIs, creating an indirect prompt injection surface. Evidence Chain: (1) Ingestion points: Search results from PanSou API in
scripts/quark_search.py. (2) Boundary markers: None explicitly defined in the prompt interpolation. (3) Capability inventory: Local script execution and HTTP interaction with local Quark app. (4) Sanitization: Alphanumeric regex validation for share IDs. Risk is mitigated by the requirement for user selection and confirmation before any save operation.
Audit Metadata