kb-retriever
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted local data (Markdown, PDF, Excel) to answer user questions, creating an indirect prompt injection surface.
- Ingestion points: Markdown, PDF, and Excel files within the user-defined knowledge base directory (SKILL.md).
- Boundary markers: Absent; instructions do not specify the use of delimiters for retrieved content.
- Capability inventory: Access to shell commands (grep, pdftotext) and Python execution (pandas, pdfplumber).
- Sanitization: Absent; no requirement to sanitize retrieved content before processing.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands like
pdftotextandgrep, and Python code viapandas. The agent constructs these commands using filenames and paths found in the local directory, which could be exploited if filenames are maliciously crafted to trigger command injection. - [DATA_EXFILTRATION]: The skill allows users to provide an arbitrary path for the knowledge base root in their query. This design can lead to sensitive data exposure if the agent is directed to directories containing configuration files, credentials, or SSH keys (e.g.,
~/.sshor/etc), which it might then read and summarize for the user.
Audit Metadata