Skills
skills/qwibitai/nanoclaw/add-karpathy-llm-wiki/Gen Agent Trust Hub

add-karpathy-llm-wiki

Warn

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands including curl, npx, npm run, launchctl, and systemctl to manage files, register groups, and restart system services.
  • [EXTERNAL_DOWNLOADS]: Instructs the agent to use curl to download full documents from external URLs into a local sources/ directory for ingestion into the wiki knowledge base.
  • [REMOTE_CODE_EXECUTION]: Utilizes npx tsx to execute both pre-existing local setup scripts and dynamically generated JavaScript code strings (using the -e flag) to modify the application's message database.
  • [DATA_EXFILTRATION]: Performs direct write operations to the store/messages.db SQLite database to create persistence via scheduled tasks.
  • [PROMPT_INJECTION]: Contains a significant surface for Indirect Prompt Injection (Category 8) due to its core purpose of ingesting and summarizing untrusted external sources.
  • Ingestion points: Files downloaded via curl or placed in the sources/ directory (SKILL.md Step 4).
  • Boundary markers: Absent; the instructions do not specify the use of delimiters or warnings to ignore instructions embedded within the sources.
  • Capability inventory: Includes shell command execution, file system modification, network access via curl, and database manipulation.
  • Sanitization: Absent; the agent is instructed to read source content and integrate "takeaways" directly into the persistent wiki structure.
  • [DYNAMIC_EXECUTION]: Generates a new SKILL.md file at runtime (Step 3b) and executes inline Node.js code (Step 5) that incorporates environment variables and placeholders, which could lead to command injection if inputs are not strictly validated.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 26, 2026, 09:50 PM