feed-diet
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves untrusted story titles and feed content from external sources (Hacker News and RSS feeds) and interpolates them into an LLM prompt for classification in
scripts/classify.sh. - Ingestion points: Untrusted data enters via
scripts/hn-fetch.sh(Hacker News API) andscripts/opml-parse.sh(external RSS/Atom feeds). - Boundary markers: The prompt lacks clear delimiters or instructions for the LLM to ignore potentially malicious commands embedded within the fetched titles.
- Capability inventory: The skill possesses network access (curl) and file-writing capabilities (caching in
~/.cache/feed-diet). - Sanitization: No sanitization or escaping is performed on the content before it is processed by the LLM, allowing a malicious feed title to potentially manipulate the classification results.
- [DATA_EXFILTRATION]: The skill performs network operations that present a surface for Server-Side Request Forgery (SSRF). In
scripts/opml-parse.sh, the script fetches URLs defined in a user-supplied OPML file. While it restricts protocols to HTTP/HTTPS, it does not implement checks against internal IP ranges or sensitive hostnames, potentially allowing the agent to be used to probe internal network resources. - [COMMAND_EXECUTION]: The skill relies on shell scripts and inline Python execution (
python3 -c) to process data and generate reports. While the logic is statically defined within the scripts, the pattern of passing data via environment variables into a runtime-evaluated Python environment is observed acrossscripts/classify.sh,scripts/hn-fetch.sh, andscripts/opml-parse.sh.
Audit Metadata