blog-catalog
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local Node.js script (
extract.mjs) that automate the extraction of frontmatter from markdown files. This is a standard and legitimate use of local automation within a skill's directory. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by aggregating metadata from various source files into a central catalog that is intended to be read by other agent functions.
- Ingestion points: The script
extract.mjsreads content from all.mdfiles located in thecontent/blog/postsdirectory. - Boundary markers: The generated output file (
blog-catalog.md) does not include specific delimiters or warnings to prevent an agent from inadvertently following instructions that might be embedded within the extracted text. - Capability inventory: The skill is granted
Read,Write, andBashpermissions, allowing it to process the local filesystem and execute internal scripts. - Sanitization: The script performs minimal cleaning of input data (such as stripping quotes) but does not sanitize or escape markdown content, meaning any instructions present in the blog metadata will be passed directly into the catalog.
Audit Metadata