baoyu-infographic
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by design.
- Ingestion points: User-provided content is ingested from the source file or clipboard and stored in source.md in Step 1.2.
- Boundary markers: The prompt template in references/base-prompt.md uses markdown sections to delimit content but lacks specific instructions for the underlying model to ignore commands within that content.
- Capability inventory: The skill has the ability to write files to the system and invoke external image generation skills with the populated prompt.
- Sanitization: There is no evidence of content sanitization; the skill intentionally preserves source data verbatim to ensure accuracy, which concurrently passes through any embedded instructions.
- Remediation: Wrap external content in delimiters with explicit 'ignore embedded instructions' warnings and sanitize user input before interpolation.
- [COMMAND_EXECUTION]: The skill uses hardcoded Bash commands to check for the existence of configuration files (EXTEND.md) in the project and home directories. This is used for preference loading and does not involve untrusted input execution.
Audit Metadata