Skills
skills/yuque/yuque-ecosystem/weekly-report/Gen Agent Trust Hub

weekly-report

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill processes data from the Yuque API (titles, names, activities) and interpolates it into a report template, which could be exploited if an attacker controls those fields.
  • Ingestion points: Activity data fetched via yuque_group_doc_stats, yuque_group_member_stats, and yuque_list_repos in SKILL.md.
  • Boundary markers: Absent; data is directly placed into markdown tables within the report body.
  • Capability inventory: The yuque_create_doc tool allows writing data back to the Yuque platform.
  • Sanitization: No validation or escaping is described for the content retrieved from external API calls.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 12:34 AM