wiki-skill
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes system binaries and generates scripts to facilitate its knowledge management features:
src/core/vault.tsusesexecFileSyncto run/usr/bin/mdlsand/usr/bin/stringsfor extracting text content from PDF and binary files.src/core/workspace-skills.tsusesspawnSyncto invokenpxfor installing additional parser skills (e.g., pdf, docx) during the setup process.src/core/workflow-context.tsdynamically generates a shell wrapper (wiki) and places it on the agent'sPATHto allow the AI workflow to execute the skill's own CLI commands.src/utils/process.tsusesspawnto invoke platform-specific commands likeopen,start, orxdg-opento open files or URLs, which is triggered by user interactions in the dashboard.- [EXTERNAL_DOWNLOADS]: During the initialization and setup phase, the skill downloads external components:
src/core/workspace-skills.tsis configured to download and add parser skills from Anthropic's official GitHub repository (anthropics/skills) to the local environment.- [PROMPT_INJECTION]: The skill architecture contains a surface for indirect prompt injection via its vault ingestion workflow:
- Ingestion points:
src/core/vault-processing.tsclaims untrusted files from thevault/directory for processing. - Boundary markers: While
src/core/workflow-context.tsuses structured prompt sections, there are no strict sanitization or "ignore embedded instructions" guards for the raw file content being processed. - Capability inventory: The AI agent is granted
workspace-writesandbox permissions, network access, and the ability to execute CLI commands (wiki), which could be abused if a malicious file in the vault influences agent behavior. - Sanitization: File content is extracted as raw text and interpolated directly into the workflow context.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata