iii-directory
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches worker bundles from the vendor registry at
api.workers.iii.devand provides functionality to pull skill folders from arbitrary GitHub repositories via thedirectory::skills::download_from_repofunction. - [REMOTE_CODE_EXECUTION]: Functions such as
download_from_registryanddownload_from_repofacilitate the installation of worker bundles by writing files directly to the local disk, which are subsequently utilized by the engine. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes and serves instructions (skills and prompts) from external sources and local files to the agent.
- Ingestion points:
directory::skills::get(reads files from disk),directory::registry::workers::info(fetches data from a remote API). - Boundary markers: The documentation does not specify the use of delimiters or warnings to ignore instructions embedded within the fetched documents.
- Capability inventory: The worker has the capability to write to the local filesystem via its download functions.
- Sanitization: No sanitization or validation of the fetched markdown or registry content is described.
Audit Metadata