eng-lang-tutor
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate language learning tool that follows established security practices.
- [COMMAND_EXECUTION]: The audio modules (
audio/composer.py,audio/converter.py) utilizesubprocessto executeffmpegfor merging and converting audio files. These calls are performed using absolute paths for binaries and internally generated file paths, minimizing command injection risks. - [EXTERNAL_DOWNLOADS]: The skill installs necessary dependencies via standard package managers (
pip,npm). At runtime, it connects to well-known TTS service providers (Microsoft Edge, XunFei) and the Feishu API for audio delivery, which are documented features of the skill. - [DATA_EXFILTRATION]: Educational content and audio files are sent to messaging platforms (Feishu, Discord) as part of the core delivery mechanism. No evidence of unauthorized sensitive data access or exfiltration to unknown domains was found.
- [INDIRECT_PROMPT_INJECTION]: The skill handles LLM-generated JSON for lessons and quizzes. It mitigates potential injection risks by enforcing strict JSON schemas for all generated content and employing proper shell escaping (e.g.,
'to'\'') when the agent executes local CLI commands to save data.
Audit Metadata