specstory-link-trail
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): Missing unverified local dependency.\n
- The script
parse_webfetch.pyimportsextract_url_from_contextfromextract_urls_context.py, but this file is not included in the skill package.\n - The absence of this file prevents verification of the extraction logic, which could potentially contain malicious operations or be leveraged for unauthorized file access given the
BashandReadcapabilities.\n- Indirect Prompt Injection (LOW): Surface for instruction injection from processed web data (Category 8).\n - Ingestion points:
parse_webfetch.pyingests data from.specstory/history/*.md, which contains raw content fetched from external websites via theWebFetchtool.\n - Boundary markers: Absent. The report generated by
generate_report.pydoes not use delimiters or instructions to the agent to disregard embedded commands in the summarized content.\n - Capability inventory: The skill is granted
BashandReadtool permissions, which could be exploited if an attacker-controlled summary successfully injects instructions into the agent's context.\n - Sanitization: The skill performs basic character escaping for Markdown tables (replacing
|with\|) but lacks sanitization against natural language instruction injection.
Audit Metadata