skills/garrytan/gbrain/media-ingest/Gen Agent Trust Hub

media-ingest

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design, as it fetches and processes untrusted data from multiple external formats.
  • Ingestion points: Untrusted content is ingested from YouTube transcripts, audio files, PDFs, screenshots, and cloned GitHub repositories as described in the Phase 1 processing table in SKILL.md.
  • Boundary markers: Absent. The instructions do not provide delimiters or specific guidelines for the agent to distinguish between ingested data and instructions, nor do they include warnings to ignore embedded commands within the media.
  • Capability inventory: The agent is granted several mutating capabilities, including put_page, add_link, add_timeline_entry, and file_upload. These could be misused if the agent's logic is subverted by malicious content in a processed file.
  • Sanitization: Absent. There is no mention of filtering, escaping, or validating the extracted text (OCR, transcripts, or README content) before it is used to populate the 'brain' pages or entity cross-links.
  • [COMMAND_EXECUTION]: The skill performs shell-level operations to interact with external resources.
  • The Phase 1 instructions for GitHub repositories include 'Clone, read README + key files'. Cloning arbitrary external repositories can expose the system to malicious file structures or vulnerabilities in the underlying git or file-system utilities.
  • The skill utilizes the gbrain CLI tool (e.g., gbrain files upload-raw, gbrain sync) to manage the ingestion process. While these appear to be vendor-provided tools, their use for processing untrusted external files increases the impact of potential injection or file-handling vulnerabilities.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 03:27 PM
Security Audit — agent-trust-hub — media-ingest