readwise-research
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and summarizes untrusted external content from the user's Readwise documents.\n
- Ingestion points: Uses
reader-get-document-detailsandreader-get-document-highlightsto pull arbitrary text into the agent context inSKILL.md.\n - Boundary markers: Lacks instructions for the agent to treat retrieved document content as data rather than instructions.\n
- Capability inventory: The agent can modify the user's library (tagging, moving files) based on directions found within the untrusted content using the
readwiseCLI.\n - Sanitization: No validation or filtering of the retrieved content is performed before processing.\n- [EXTERNAL_DOWNLOADS]: The skill recommends installing
@readwise/cli, which is a recognized package from a well-known service.\n- [COMMAND_EXECUTION]: The skill uses shell commands via the localreadwiseCLI for its core functionality of data retrieval and library management.
Audit Metadata