jacky-wiki
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It reads up to 8 markdown files from the user's knowledge base and summarizes them. Maliciously crafted content within these files could potentially override the agent's instructions or bias its output.
- Ingestion points: Reads content from files within the
_inbox/andWiki/directories during search operations. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present when reading external file content.
- Capability inventory: Performs file reading, file searching (
find,grep), directory creation (mkdir -p), and file writing/appending. - Sanitization: The instructions do not specify any sanitization or validation of the content retrieved from the knowledge base before it is processed by the agent.
- [COMMAND_EXECUTION]: The workflow specifies searching the knowledge base using logic equivalent to shell commands like
findandgrep -rl. If the agent's underlying implementation translates these instructions into shell execution without rigorous sanitization of keywords or filenames, it could lead to command injection vulnerabilities. - [DATA_EXPOSURE]: The skill accesses and reads user-defined local directories (e.g.,
WIKI_ROOTor0、知识库/), which may contain sensitive personal information. While this is the intended functionality of a knowledge base tool, it grants the agent broad read access to the local filesystem within the designated root.
Audit Metadata