qiita
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a high-risk attack surface by consuming untrusted external data and providing tools to modify the platform state.
- Ingestion points: Untrusted data enters the agent's context through article searches (
item search), article retrieval (item get), and comment listing (comment list) as defined inSKILL.md. - Boundary markers: The skill documentation provides no instructions for the agent to use delimiters or ignore instructions found within retrieved articles or comments.
- Capability inventory: The agent is granted capabilities with significant side effects, including
item post,item update,item delete, andcomment post. - Sanitization: There is no mention of sanitizing retrieved Markdown or validating that the content is strictly data and not executable instructions for the LLM.
- Command Execution (LOW): The skill relies on an external shell script
scripts/qiita.sh. It explicitly instructs the agent to usebash -cfor execution to handle environment variables. While standard, this pattern requires the underlying script to be highly resilient against shell injection from parameters like--queryor--titlewhich may contain special characters from external sources.
Recommendations
- AI detected serious security threats
Audit Metadata