create-blog-post-xn--uy0a.tw
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill instructs the agent to execute
./switch-site.shin Step 3. This script is part of the repository cloned in Step 1 (jim60105/blog). Executing scripts from untrusted external sources at runtime is a critical security risk. - Evidence:
Step 3: ./switch-site.sh 聆.tw - EXTERNAL_DOWNLOADS (MEDIUM): The skill clones from
https://github.com/jim60105/blog.gitand interacts withjim60105/ai-talks-content. These are personal repositories from an unverified user and do not belong to the trusted organizations list. The integrity of the scripts and instructions within these repositories cannot be guaranteed. - Evidence:
git clone --recurse-submodules https://github.com/jim60105/blog.git - PROMPT_INJECTION (LOW): The skill relies on external data sources for its core operational logic (Category 8: Indirect Prompt Injection). It processes untrusted files to determine its behavior and formatting rules.
- Ingestion points:
AGENTS.mdand.github/instructions/quill-sage.instructions.md(read during Steps 6 and 7). - Boundary markers: Absent. The agent is instructed to follow the rules inside these external files directly.
- Capability inventory: The agent has permissions to execute shell scripts, write files, and perform network operations via
gitandgh. - Sanitization: None detected. The agent interpolates instructions from external files directly into its task context.
Recommendations
- AI detected serious security threats
Audit Metadata