planning-content
Fail
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
setup.shscript downloads an installation script fromhttps://astral.sh/uv/install.sh. This is the official distribution endpoint for theuvpackage manager, a well-known tool in the Python ecosystem.- [COMMAND_EXECUTION]: Theyoutube_handler.pyscript executes theyt-dlputility usingsubprocess.runto fetch video metadata. The command usessys.executableto ensure it runs within the established virtual environment.- [DATA_EXFILTRATION]: The skill performs legitimate network requests to fetch page titles and YouTube transcripts usingurllib.requestand theyoutube-transcript-api. These operations are required for the skill's primary purpose of analyzing external content.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to its core function of ingesting untrusted data for processing and outline generation.\n - Ingestion points: External content enters the agent's context through
scripts/convert_to_markdown.py(which handles files and general URLs) andscripts/youtube_handler.py(which handles YouTube transcripts).\n - Boundary markers: The instructions in
SKILL.mddo not implement explicit delimiters or instructions to treat the converted content as data rather than instructions, potentially allowing embedded malicious prompts to influence the agent.\n - Capability inventory: The skill scripts can execute shell commands via
subprocess.run(inyoutube_handler.py), perform network fetches, and write files to the project directory.\n - Sanitization: While the skill uses regex to sanitize YouTube video IDs, it relies on the underlying parsing libraries (
docling,yt-dlp) for the safe handling of document and media structures.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata