markbase-skill
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill body contains explicit override instructions, stating that the Git Protocol is "always in effect, overrides everything." This pattern is used to force specific behaviors over safety or system constraints.
- [COMMAND_EXECUTION]: The agent is instructed to execute various shell commands including 'git pull', 'git rebase', 'git commit', 'git push', and multiple subcommands of the 'markbase' tool. This provides a broad surface for interacting with the host shell.
- [DATA_EXFILTRATION]: The skill uses 'git push' to synchronize the vault with a remote repository. While intended for synchronization, this mechanism could be used to exfiltrate any sensitive data stored within the vault directory, such as configuration files or credentials.
- [EXTERNAL_DOWNLOADS]: The 'git pull' and 'git pull --rebase' commands facilitate the download of content from a remote repository into the local environment, which the agent then processes and acts upon.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection through its note-processing workflow.
- Ingestion points: The agent reads raw and rendered content from Markdown files in the vault using 'read_file' and 'markbase note render'. These files are subject to modification by external "Remote Bot" writers.
- Boundary markers: No delimiters or safety instructions are provided to prevent the agent from following malicious instructions embedded within the notes (e.g., inside the 'body' or 'frontmatter').
- Capability inventory: The skill possesses the ability to execute shell commands, read/write files, and push data to remote Git repositories.
- Sanitization: There is no mention of sanitization or validation of the content retrieved from the vault notes before the agent uses it to perform updates or consolidation tasks.
Audit Metadata