summarise
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The execution command recommended in
SKILL.mduses the--allow-env="*"flag. This grants the summarization process access to all environment variables on the host system, including potentially sensitive API keys (e.g.,ANTHROPIC_API_KEY) and other credentials that may not be required for the skill's function. Combined with--allow-host="*", this creates a path for data exfiltration. - [EXTERNAL_DOWNLOADS]: The skill relies on the
@steipete/summarizepackage, which is an external dependency downloaded from the NPM registry. Thescripts/summarize.tsfile dynamically imports this package to execute its CLI logic. - [COMMAND_EXECUTION]: The skill uses the
bunsruntime to execute a TypeScript script that wraps a third-party CLI tool, invoking subprocesses with broad host and environment permissions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and process content from untrusted external sources like web pages, YouTube transcripts, and podcasts.
- Ingestion points: Content is fetched from arbitrary URLs, YouTube videos, and files as specified in
SKILL.md. - Boundary markers: No boundary markers or instructions to treat external content as untrusted data are provided in the skill definition.
- Capability inventory: The process has full network access (
--allow-host="*") and access to all environment variables (--allow-env="*") via thebunsexecution flags. - Sanitization: There is no evidence of sanitization or filtering applied to the fetched content before it is processed by the agent or the CLI tool.
Audit Metadata