wp-trac-timeline
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local PHP script (
timeline.php) to process queries. The execution is protected by anallowed-toolspath-based restriction in the metadata, which ensures that only the specified script can be executed with provided arguments.\n- [EXTERNAL_DOWNLOADS]: The script fetches RSS feed data from the official WordPress Trac domain (core.trac.wordpress.org). This is a well-known technology service, and the data is retrieved usinghttp_build_queryfor secure parameter encoding, preventing URL injection.\n- [PROMPT_INJECTION]: The skill processes untrusted project activity data from an external RSS feed. While this creates a surface for indirect prompt injection, the risk is minimal as the skill performs only read operations and utilizes sanitization for the displayed content.\n - Ingestion points:
scripts/timeline.phpretrieves RSS data from the WordPress Trac activity feed.\n - Boundary markers: The output is structured with Markdown headers and horizontal rules (
---) to delineate distinct events for the agent.\n - Capability inventory: The skill is restricted to network data retrieval and standard output; it cannot write files or modify the system environment.\n
- Sanitization: The script employs
strip_tags()to remove HTML tags andhtml_entity_decode()to process encoded characters before rendering the timeline items.
Audit Metadata