Skills
skills/ariadoss/superskills/tapestry/Gen Agent Trust Hub

tapestry

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell scripts to process URLs and file names. In the YouTube extraction section, the $URL variable is used directly in a command string yt-dlp --print "%(title)s" "$URL", which could lead to command injection if a maliciously crafted URL containing shell metacharacters is provided. Similar patterns exist in the article extraction logic.
  • [EXTERNAL_DOWNLOADS]: The skill automatically attempts to install system-level packages using brew install yt-dlp if the tool is missing. While directed at a well-known package manager, automated system modification without explicit user consent is a security and stability concern.
  • [COMMAND_EXECUTION]: The workflow incorporates user input from read -r KEEP_PDF into shell logic. While intended for cleanup, input from read should be handled with caution in automated scripts to prevent unexpected shell behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 05:49 AM