intro
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted content from the web via search tools (Perplexity, Exa, and WebSearch). This external content is then used to generate or update local files. An attacker could place malicious instructions on a website that the agent then follows while attempting to summarize the topic.
- Ingestion points: External web content fetched during the research phase.
- Boundary markers: Not present; the skill lacks delimiters or specific instructions to disregard malicious prompts embedded in retrieved text.
- Capability inventory: The skill can read and write files within the 'Zettelkasten/' directory.
- Sanitization: No validation or filtering of external content is implemented before processing.
- [COMMAND_EXECUTION]: The skill manages local files by creating new markdown documents and updating existing ones in the 'Zettelkasten/' directory based on its research findings.
Audit Metadata