docs-seeker
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructions in Phase 3 direct the agent to run 'npm install -g repomix' if needed. Installing global packages at runtime from public registries is a risk for supply chain attacks.
- [COMMAND_EXECUTION] (MEDIUM): The workflow executes shell commands like 'git clone' and 'repomix' on external repositories identified via web search. This allows for the processing of potentially malicious repository content through local tooling.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection due to its core purpose of ingesting and summarizing untrusted external data. Evidence Chain: (1) Ingestion points: WebFetch in Phase 2, git clone and Repomix in Phase 3. (2) Boundary markers: None specified for the Explorer or Researcher agents. (3) Capability inventory: npm installation, git cloning, and shell command execution. (4) Sanitization: No sanitization of the fetched documentation content is mentioned before it is passed to agents for analysis.
- [DATA_EXFILTRATION] (LOW): The skill frequently accesses 'context7.com', a non-whitelisted domain, to retrieve documentation. Although this is the intended functionality, it establishes a communication channel with an unverified external entity.
Audit Metadata