ref-skill
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted external data when reading documentation pages from the web, creating a potential surface for indirect prompt injection.
- Ingestion points: Content is retrieved via
mcp__Ref__ref_read_urlfrom URLs found during search (referenced in SKILL.md). - Boundary markers: The instructions do not specify explicit delimiters or "ignore instructions" wrappers for the ingested content.
- Capability inventory: The skill is limited to documentation search and retrieval; it lacks file-writing, code execution, or system modification capabilities.
- Sanitization: No explicit sanitization or filtering of the retrieved markdown content is documented.
- [DATA_EXPOSURE]: The skill facilitates access to potentially sensitive information by supporting a
ref_src=privateparameter for searching private documentation sources. - Evidence:
references/ref-skill.mdnotes that private docs can be targeted if specified in the query. This is a legitimate feature for users with access to private repositories.
Audit Metadata