bdistill-extract
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the execution of a local script (scripts/extract_engine.py) to perform its core functions. This script acts as a powerful file and data manager directed by agent commands.\n- [DATA_EXFILTRATION]: Multiple path traversal vulnerabilities exist in the extraction engine. The session_id used in checkpointing and the kb_path used for contradiction checks are not sanitized before being used in file system operations. This allows an attacker to potentially read or write files outside the intended directories by manipulating these parameters.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection vulnerabilities due to its data processing model.\n
- Ingestion points: Agent answers and challenge responses processed during the extraction loop in scripts/extract_engine.py.\n
- Boundary markers: None. The script and instructions do not specify delimiters to isolate agent-generated content from system instructions.\n
- Capability inventory: File read/write access to the data/ directory and arbitrary paths via traversal vulnerabilities in scripts/extract_engine.py.\n
- Sanitization: While domain names are normalized, the session_id, kb_path, and the content of the entries are not sanitized against malicious patterns.
Audit Metadata