Skills
skills/wangdefou-dev/defou-workflow-agent/article-list-processor/Gen Agent Trust Hub

article-list-processor

Pass

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script in index.ts uses child_process.spawn to run npm run skill:verify. While the command is static and triggered internally, it represents the execution of local shell processes.
  • [DATA_EXFILTRATION]: The skill performs outbound HTTP requests using node-fetch to arbitrary URLs provided in user-supplied Markdown files. This network activity is necessary for the skill's stated purpose of article crawling but allows the agent to interact with any external domain.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves content from external web pages and injects it directly into the AI prompt for processing.
  • Ingestion points: External content is fetched in index.ts via fetchArticleContent and passed to the generateContent function.
  • Boundary markers: The prompt construction in buildArticleLinkPrompt (referenced in index.ts) does not appear to use robust delimiters or instructions to the model to ignore potential commands embedded in the crawled text.
  • Capability inventory: The skill has permissions to read/write to the local file system (local_inputs, archive, outputs), perform network requests, and execute subprocesses via npm.
  • Sanitization: The content extracted via @mozilla/readability is trimmed but otherwise unsanitized before being sent to the LLM, leaving the agent open to instructions hidden in the crawled articles.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 28, 2026, 11:05 AM