siyuan-skill
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing shell commands via the
mcporterutility to interface with the SiYuan Note API. These commands are used for standard note-taking operations such as searching (unified_search), reading (get_document_content), and appending text (append_to_daily_note). - [EXTERNAL_DOWNLOADS]: The documentation links to the author's GitHub repository (
https://github.com/PurpleLiu/siyuan-mcp) to provide the required MCP server. As this repository belongs to the skill's author, it is considered a legitimate vendor resource. - [PROMPT_INJECTION]: The workflows for organizing notes and generating weekly reports involve reading existing note content to produce summaries. This creates an indirect prompt injection surface where malicious instructions inside a note could potentially influence agent behavior.
- Ingestion points:
get_document_contentis used in Workflows E and F. - Boundary markers: The skill does not implement delimiters or safety warnings for the LLM when processing retrieved note content.
- Capability inventory: The agent has the ability to read, create, and write to the local note-taking database via shell commands.
- Sanitization: No explicit content filtering or sanitization is performed on the notes before they are processed by the LLM.
Audit Metadata