knowledge-absorber
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The
SKILL.mdfile contains a 'dependency self-healing' instruction that commands the agent to 'immediately auto-execute'pip install -r [SKILL_PATH]/requirements.txtwithout asking the user if anImportErroris encountered. This bypasses user oversight for shell command execution. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill identifies and installs external Python dependencies at runtime. While the packages in
requirements.txtappear standard, the automated installation process facilitates potential supply chain risks or unauthorized software installation. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill is designed to ingest and 'deeply analyze' content from arbitrary URLs or local files, which is then used to influence the agent's subsequent 'Master Persona' output.
- Ingestion points:
scripts/content_ingester.pyprocesses external inputs; data is stored inconfig/raw_content.txt. - Boundary markers: Absent. The skill does not define clear delimiters or instructions to the LLM to ignore potentially malicious commands embedded in the ingested documents.
- Capability inventory: The skill can execute Python scripts, perform web searches via
WebSearch, and write HTML/Markdown files to the local filesystem. - Sanitization: While
html2textis used to clean HTML noise, no security-focused sanitization is performed on the ingested text before it is processed by the model.
Recommendations
- AI detected serious security threats
Audit Metadata