kb-load
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's file resolution logic in SKILL.md is vulnerable to path traversal. In Step 3, the instruction to resolve files using the pattern
docs/kb/{input}does not include sanitization for parent directory references (../). This allows an attacker to provide a crafted path that tricks the agent into reading sensitive files outside the intended directory, such as .env files or workspace configurations.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the files it processes. In SKILL.md, Step 4 instructs the agent to "Parse and internalize" the full content of repository files. These files are untrusted data sources that could contain malicious instructions designed to hijack the agent's behavior once loaded into the conversation context.\n - Ingestion points: Files located under
docs/kb/,CLAUDE.md, anddocs/kb/_index.md.\n - Boundary markers: Absent; the skill does not use delimiters or instructions to treat the content as inert data.\n
- Capability inventory: The skill allows reading and displaying the content of any file accessible via the path traversal vulnerability.\n
- Sanitization: None; the content is parsed and internalized without any filtering or validation.
Audit Metadata