es-ingest
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The README instructions direct users to install the skill via
npxorgit clonefrom thewalterra/agent-toolsrepository. This source is not on the trusted organizations list, making it an unverifiable external dependency.\n - Evidence:
README.mdline 10:npx skills add walterra/agent-tools --skill es-ingest\n - Evidence:
README.mdline 13:git clone https://github.com/walterra/agent-tools.git\n- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes a CLI script (ingest.js) that dynamically loads and executes JavaScript transformation files provided via the--transformflag. This allows for arbitrary code execution within the agent's environment.\n - Evidence:
README.mdline 26:--transform transform.js\n - Capability: The example scripts like
examples/transform.jsdemonstrate that the tool executes user-provided logic on every document processed.\n- [PROMPT_INJECTION] (LOW): The skill ingests untrusted external data (CSV/JSON) which constitutes a surface for indirect prompt injection if the indexed data is later consumed by an LLM.\n - Ingestion points:
scripts/ingest.jsprocesses user-supplied files via the--fileargument.\n - Boundary markers: Absent; there are no instructions provided to the agent to treat the data as untrusted or to use delimiters.\n
- Capability inventory: The skill performs file system reads and network writes to Elasticsearch nodes.\n
- Sanitization: Absent; the provided transformation examples focus on enrichment rather than security validation or sanitization of input data.
Audit Metadata