reader-recap
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted document content and user annotations, which creates a surface for indirect prompt injection. \n- Ingestion points: External data is fetched from the Readwise API via MCP tools or CLI commands as defined in SKILL.md. \n- Boundary markers: The instructions do not define explicit delimiters or 'ignore' instructions for the ingested content. \n- Capability inventory: The agent's actions are restricted to reading data and generating a briefing; no file-write or system-level execution capabilities are available. \n- Sanitization: Fetched content is interpolated into the summary without specific escaping or validation. \n- [DATA_EXFILTRATION]: The skill accesses a local file to personalize the user experience based on preferences. \n- Evidence: Reads the file
reader_persona.mdfrom the current working directory to tailor the briefing output.
Audit Metadata