the-librarian
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill clones external repositories to the local environment using git. This is the intended behavior for maintaining a reference library.\n
- Evidence:
git clone --depth 1 --single-branch <url> <library-root>/sources/<owner>_<repo>inreferences/stock.md.\n- [PROMPT_INJECTION]: The skill facilitates the ingestion and processing of untrusted data from external repositories, which creates a potential vector for indirect prompt injection where malicious instructions in the source code could influence the agent's logic.\n - Ingestion points: Untrusted data enters the environment via repository cloning in
references/stock.mdand is processed through file reads and searches inreferences/consult.mdandreferences/research.md.\n - Boundary markers: The instructions do not define delimiters or provide specific prompts to the model to ignore embedded instructions in the reference documents, increasing the likelihood of the model following malicious content as if it were a command.\n
- Capability inventory: The skill allows the agent to read and write files, and execute
gitandripgrepcommands within the project environment.\n - Sanitization: The skill does not perform validation or sanitization of the content inside the cloned repositories before the agent analyzes them.
Audit Metadata