quote-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by combining untrusted data ingestion with local file-writing capabilities.
- Ingestion Points: Step 1 allows the agent to read content from user-specified local file paths or arbitrary pasted text (articles).
- Boundary Markers: There are no specified delimiters or instructions to the agent to treat article content as data only, increasing the risk that the LLM obeys instructions embedded within a 'quote'.
- Capability Inventory: Step 6 ('执行写入') explicitly requires the agent to 'physically write to files' using a
Writetool. - Sanitization: No sanitization or validation of the extracted content is mentioned before it is written to the drive, allowing malicious payloads to be persisted.
- Data Exposure & Path Traversal (MEDIUM): The skill hardcodes absolute Windows file paths (
E:\OBData\ObsidianDatas...). - Evidence: Step 5 and Step 6 use specific local directories for indexing and storage. If an attacker-controlled article influences the 'Theme' (主题) used to generate the filename, it could lead to path traversal if not strictly validated by the underlying tool.
- Safety Bypass Patterns (LOW): The skill's description and positioning include phrases like '无需审计流程' (No audit process needed).
- Evidence: While intended to contrast with a 'knowledge_auditor' skill, this language can be interpreted by the LLM as a directive to skip safety checks or verification steps when processing potentially harmful content.
Recommendations
- AI detected serious security threats
Audit Metadata