the-librarian

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill clones external repositories to the local environment using git. This is the intended behavior for maintaining a reference library.\n
  • Evidence: git clone --depth 1 --single-branch <url> <library-root>/sources/<owner>_<repo> in references/stock.md.\n- [PROMPT_INJECTION]: The skill facilitates the ingestion and processing of untrusted data from external repositories, which creates a potential vector for indirect prompt injection where malicious instructions in the source code could influence the agent's logic.\n
  • Ingestion points: Untrusted data enters the environment via repository cloning in references/stock.md and is processed through file reads and searches in references/consult.md and references/research.md.\n
  • Boundary markers: The instructions do not define delimiters or provide specific prompts to the model to ignore embedded instructions in the reference documents, increasing the likelihood of the model following malicious content as if it were a command.\n
  • Capability inventory: The skill allows the agent to read and write files, and execute git and ripgrep commands within the project environment.\n
  • Sanitization: The skill does not perform validation or sanitization of the content inside the cloned repositories before the agent analyzes them.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 10:27 PM
Security Audit — agent-trust-hub — the-librarian