deep-reading
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
subprocess.runandsubprocess.Popento execute external tools (yt-dlp,mpv) with arguments derived directly from user-provided URLs and file paths. - Evidence: Found in
src/fetcher/youtube.py(fetching video metadata and audio) andsrc/player/mpv_controller.py(starting playback). - Risk: Potential for argument injection if the input strings contain malicious flags interpreted by the external tools.
- [DATA_EXFILTRATION] (MEDIUM): The skill is designed to read and process local files provided by the user, which can lead to sensitive data exposure.
- Evidence:
src/fetcher/cli.pyandsrc/fetcher/pdf.pyaccept arbitrary file paths for processing.SKILL.mdalso contains hardcoded absolute paths (e.g.,/Users/liweixin/) which suggests the skill is tailored for a specific environment and may exhibit unexpected behavior elsewhere. - Risk: An attacker could potentially direct the agent to access and summarize sensitive local documents (e.g., PDFs containing private information).
- [EXTERNAL_DOWNLOADS] (LOW): The skill downloads audio and transcript data from YouTube using the
yt-dlputility. - Evidence:
src/fetcher/youtube.pymanages downloads to the~/.deep-reading/cache/directory. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests and processes untrusted data from YouTube transcripts and PDF files.
- Ingestion points:
src/fetcher/youtube.py(captions) andsrc/fetcher/pdf.py(PDF text content). - Boundary markers: Absent. The skill lacks explicit delimiters or instructions to the model to ignore embedded commands within the fetched content.
- Capability inventory: Filesystem write access (
src/processor/inspectional.py), external tool execution (src/fetcher/youtube.py,src/player/mpv_controller.py). - Sanitization: Filenames are sanitized, but document content is interpolated directly into report templates.
Audit Metadata