create-blog-post-xn--uy0a.tw

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • REMOTE_CODE_EXECUTION (HIGH): The skill instructs the agent to execute ./switch-site.sh in Step 3. This script is part of the repository cloned in Step 1 (jim60105/blog). Executing scripts from untrusted external sources at runtime is a critical security risk.
  • Evidence: Step 3: ./switch-site.sh 聆.tw
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill clones from https://github.com/jim60105/blog.git and interacts with jim60105/ai-talks-content. These are personal repositories from an unverified user and do not belong to the trusted organizations list. The integrity of the scripts and instructions within these repositories cannot be guaranteed.
  • Evidence: git clone --recurse-submodules https://github.com/jim60105/blog.git
  • PROMPT_INJECTION (LOW): The skill relies on external data sources for its core operational logic (Category 8: Indirect Prompt Injection). It processes untrusted files to determine its behavior and formatting rules.
  • Ingestion points: AGENTS.md and .github/instructions/quill-sage.instructions.md (read during Steps 6 and 7).
  • Boundary markers: Absent. The agent is instructed to follow the rules inside these external files directly.
  • Capability inventory: The agent has permissions to execute shell scripts, write files, and perform network operations via git and gh.
  • Sanitization: None detected. The agent interpolates instructions from external files directly into its task context.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 03:59 PM
Security Audit — agent-trust-hub — create-blog-post-xn--uy0a.tw