doc-skill-generator
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from external, untrusted sources (websites and PDFs).
- Ingestion points:
lib/crawler.js(retrieves web content via Playwright) andlib/pdf-reader.js(downloads and parses PDF text). - Boundary markers: Absent. While content is structured into Markdown files in the
docs/directory, there are no explicit delimiters or instructions telling the AI to ignore embedded commands within that content. - Capability inventory: The skill can write files (
fs.writeFileSync,fs.cpSync), delete files (fs.rmSync), and execute shell commands (child_process.execFileSyncto call the Playwright tool). - Sanitization: Content extracted from documents is not sanitized for natural language instructions that might influence the Agent's behavior during the skill generation or analysis phase.
- [EXTERNAL_DOWNLOADS]: The skill downloads external PDF files from user-provided URLs using the
lib/pdf-reader.jsmodule. It uses the standardhttpandhttpsmodules to fetch these files into a temporary directory for processing. - [COMMAND_EXECUTION]: The skill executes local commands to interact with the Playwright tool and perform file system operations.
- Subprocess execution:
lib/crawler.jsusesexecFileSyncto invoke theplaywrightskill'stool.jsfor web scraping. - File system operations:
tool.jsandlib/generator.jsperform significant file system operations including creating directories, writing generated code and documentation, and copying or deleting files in the installation target path.
Audit Metadata