tapestry
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external URLs and passes it to the LLM for 'action planning'.
- Ingestion points: Content is saved to 'temp_article.txt' and 'temp_pdf.txt' before being read by the agent.
- Boundary markers: The skill does not define clear delimiters or system instructions to ignore embedded commands within the extracted content.
- Capability inventory: The agent has access to 'Bash', 'Read', and 'Write' tools, allowing for file manipulation and network access.
- Sanitization: While the skill sanitizes filenames, it does not sanitize the extracted body content before the agent processes it for planning.
- [COMMAND_EXECUTION]: The skill uses Bash scripts that incorporate user-supplied variables (URLs) into command lines.
- Evidence: The workflow uses 'curl', 'reader', and 'trafilatura' directly with the '$URL' variable. If the agent's shell execution environment does not properly escape these inputs, it could lead to command injection.
- [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch external resources from arbitrary URLs provided by the user.
- Evidence: Uses 'curl -L -o' to download PDFs and 'curl -s' to fetch HTML content. This allows the agent to interact with potentially malicious remote servers.
Audit Metadata