learning-engine
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands such as
git cloneandcp -rusing user-provided variables{github_url}and{local_path}. This pattern represents a command injection risk if the platform does not apply strict escaping, as a user could provide a crafted path containing command separators. - [EXTERNAL_DOWNLOADS]: The skill facilitates the downloading of external content from arbitrary GitHub repositories specified by the user to serve as learning material.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external repositories and documents, which could contain malicious instructions designed to influence the agent or its subagents.
- Ingestion points: Arbitrary GitHub repositories, local project directories, and various document formats (PDF, HTML, etc.) provided by the user (SKILL.md Step 1).
- Boundary markers: There are no security-oriented delimiters or 'ignore' instructions used when processing input content; structural markers like '> 资料原文:' are only used in the final lesson output for formatting.
- Capability inventory: The skill possesses the ability to read and write files, execute shell commands, and orchestrate subagents for analysis and content generation.
- Sanitization: Content processing lacks sanitization or validation beyond basic file extension checks, leaving the agent vulnerable to instructions embedded within the learning materials.
Audit Metadata