deckset
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
SKILL.mdworkflow explicitly instructs the agent to execute a local Python script usinguv run scripts/refresh_sources.py. This script is used to synchronize the skill's reference materials with upstream sources. - [EXTERNAL_DOWNLOADS]: The
refresh_sources.pyscript performs network requests to fetch documentation fromdocs.deckset.comand example presentations fromapi.github.com. These downloads target the official product documentation and well-known services. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its reliance on external data sources.
- Ingestion points: The agent reads content from
references/deckset-markdownDocumentation.htmlandreferences/examples/*.mdwhich are populated via external network requests. - Boundary markers: There are no explicit instructions in the
SKILL.mdto treat the content of these reference files as untrusted or to ignore embedded instructions within them. - Capability inventory: The skill allows the execution of a local Python script via
uv runand the generation of markdown files that are influenced by the fetched data. - Sanitization: While the Python script cleans HTML tags and unescapes characters, it does not perform any validation or filtering to prevent the agent from obeying malicious instructions embedded in the external markdown files.
- [CREDENTIALS_UNSAFE]: The Python script checks for the existence of
GH_TOKENorGITHUB_TOKENin the environment to authenticate with the GitHub API. This is a standard and safe method for handling API access, as no secrets are hardcoded in the skill itself.
Audit Metadata