media-ingest
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design, as it fetches and processes untrusted data from multiple external formats.
- Ingestion points: Untrusted content is ingested from YouTube transcripts, audio files, PDFs, screenshots, and cloned GitHub repositories as described in the Phase 1 processing table in
SKILL.md. - Boundary markers: Absent. The instructions do not provide delimiters or specific guidelines for the agent to distinguish between ingested data and instructions, nor do they include warnings to ignore embedded commands within the media.
- Capability inventory: The agent is granted several mutating capabilities, including
put_page,add_link,add_timeline_entry, andfile_upload. These could be misused if the agent's logic is subverted by malicious content in a processed file. - Sanitization: Absent. There is no mention of filtering, escaping, or validating the extracted text (OCR, transcripts, or README content) before it is used to populate the 'brain' pages or entity cross-links.
- [COMMAND_EXECUTION]: The skill performs shell-level operations to interact with external resources.
- The Phase 1 instructions for GitHub repositories include 'Clone, read README + key files'. Cloning arbitrary external repositories can expose the system to malicious file structures or vulnerabilities in the underlying
gitor file-system utilities. - The skill utilizes the
gbrainCLI tool (e.g.,gbrain files upload-raw,gbrain sync) to manage the ingestion process. While these appear to be vendor-provided tools, their use for processing untrusted external files increases the impact of potential injection or file-handling vulnerabilities.
Audit Metadata