Skills
skills/timescale/marketing-skills/ghost-paper/Gen Agent Trust Hub

ghost-paper

Pass

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the ghost-paper package from the npm registry. This package is the primary dependency for report generation and is provided by the skill author.
  • [REMOTE_CODE_EXECUTION]: By invoking npx, the skill executes code from a remote package repository (npm) to perform its core functions.
  • [COMMAND_EXECUTION]: Shell commands are employed to fetch guidelines via npx ghost-paper prompt and to compile reports using the npx ghost-paper build command.
  • [PROMPT_INJECTION]: The skill processes untrusted user data to generate reports, which creates a surface for indirect prompt injection.
  • Ingestion points: User-supplied data, metrics, and markdown drafts are used as the primary input for the report generation process (Step 2).
  • Boundary markers: There are no specified delimiters or 'ignore' instructions to isolate user-provided text from the structural markdown instructions.
  • Capability inventory: The skill allows the agent to write files to the local filesystem and execute shell commands through the npx utility.
  • Sanitization: Content provided by the user is written directly to the source markdown file without explicit sanitization or escaping of potential instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 13, 2026, 01:21 PM