Skills
skills/bug-ops/claude-plugins/mdbook-tech-writer/Gen Agent Trust Hub

mdbook-tech-writer

Warn

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as mdbook build, mdbook test, mdbook serve, and mdbook clean within the 'Phase 4: Review & Polish' section of SKILL.md and the 'Testing' section of references/mdbook-structure.md. These commands provide the agent with the capability to interact directly with the local environment and manage processes.
  • [REMOTE_CODE_EXECUTION]: In SKILL.md, the agent is directed to run mdbook test to verify Rust code examples. This command identifies, compiles, and executes code blocks within markdown files. If the repository being documented contains malicious code snippets—either intentionally placed by an attacker or introduced via indirect prompt injection—the agent will execute that code with the permissions of the host user.
  • [EXTERNAL_DOWNLOADS]: The references/mdbook-structure.md file contains a CI/CD configuration example that uses cargo install mdbook to fetch and install the tool from an external registry. While crates.io is a well-known service, the pattern of downloading and installing binary dependencies during execution is a recognized vector for supply chain risks.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as specified in SKILL.md (Phase 1: Audit & Plan), where it instructs the agent to "Scan the codebase" and "Map existing docs". Malicious content embedded in README files, inline code comments, or existing markdown files within a target project could influence the agent's behavior or inject malicious code snippets that are later executed during the mdbook test phase.
  • Ingestion points: Codebase files, inline doc comments (///), and existing markdown files identified in SKILL.md (Phase 1).
  • Boundary markers: Absent; the skill does not specify the use of delimiters or instructions to ignore embedded commands in the scanned data.
  • Capability inventory: Shell command execution (mdbook CLI), file system read/write access, and code execution via mdbook test.
  • Sanitization: The skill lacks instructions for sanitizing or validating external content before it is included in the documentation structure or tested.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 09:54 AM
Security Audit — agent-trust-hub — mdbook-tech-writer