readwise
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes user-generated content (highlights, book titles, and notes) from the Readwise API. This content could contain malicious instructions designed to hijack the agent's behavior during tasks like summarization.
- Ingestion points: Content is ingested via the
highlights list,highlights review, andbookcommands inscripts/readwise_client.py. - Boundary markers: The skill does not implement delimiters or explicit instructions to ignore commands within the fetched data.
- Capability inventory: The skill uses
Bash(uv run *)and can read local files via CLI parameters. - Sanitization: No sanitization or validation of the API-provided strings is performed before they are presented to the agent.
- [COMMAND_EXECUTION]: The
scripts/readwise_client.pyscript allows the agent to read local files using the--text-fileand--bulk-fileoptions. - This functionality enables the agent to access arbitrary files on the system. Although the data is intended for transmission to a well-known service (Readwise), it represents a potential data exposure risk if the agent is manipulated into reading sensitive system files.
- [PROMPT_INJECTION]: The
SKILL.mdinstructions include override-style markers such as 'Critical' and 'Always specify', although these are used for legitimate operational guidance regarding API usage rather than malicious bypasses.
Audit Metadata