content-search
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes and displays untrusted data from the filesystem.
- Ingestion points: File contents are read and returned to the agent context via ripgrep or grep based on search patterns (SKILL.md).
- Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions to separate searched content from the agent's system instructions.
- Capability inventory: The skill is capable of executing a Node.js search script which interfaces with system binaries, potentially providing a path for exploitation if paired with malicious data.
- Sanitization: No sanitization or escaping of the retrieved file content is mentioned before it is presented to the LLM.
- [COMMAND_EXECUTION]: The skill is designed to execute a local Node.js script (/job/.pi/skills/content-search/search.js) which in turn executes system binaries like ripgrep (rg) and grep.
Audit Metadata