skills/eddmann/jeeves/summarise/Gen Agent Trust Hub

summarise

Warn

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The execution command recommended in SKILL.md uses the --allow-env="*" flag. This grants the summarization process access to all environment variables on the host system, including potentially sensitive API keys (e.g., ANTHROPIC_API_KEY) and other credentials that may not be required for the skill's function. Combined with --allow-host="*", this creates a path for data exfiltration.
  • [EXTERNAL_DOWNLOADS]: The skill relies on the @steipete/summarize package, which is an external dependency downloaded from the NPM registry. The scripts/summarize.ts file dynamically imports this package to execute its CLI logic.
  • [COMMAND_EXECUTION]: The skill uses the buns runtime to execute a TypeScript script that wraps a third-party CLI tool, invoking subprocesses with broad host and environment permissions.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and process content from untrusted external sources like web pages, YouTube transcripts, and podcasts.
  • Ingestion points: Content is fetched from arbitrary URLs, YouTube videos, and files as specified in SKILL.md.
  • Boundary markers: No boundary markers or instructions to treat external content as untrusted data are provided in the skill definition.
  • Capability inventory: The process has full network access (--allow-host="*") and access to all environment variables (--allow-env="*") via the buns execution flags.
  • Sanitization: There is no evidence of sanitization or filtering applied to the fetched content before it is processed by the agent or the CLI tool.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 09:56 AM
Security Audit — agent-trust-hub — summarise