shiyi

Warn

Audited by Gen Agent Trust Hub on Jun 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/export_xlsx.js dynamically generates a Python script at runtime to facilitate Excel exports with embedded images. This script is written to a temporary location and executed via child_process.execFile using the host's python3 or python interpreter. This pattern of runtime code generation and execution constitutes a dynamic execution risk.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in scripts/parse_input.js. User-provided captions for image uploads are interpolated directly into the prompt sent to the vision model: ${prompt}\n\n用户附带说明:「${caption}」. This lacks robust boundary markers or safety instructions for the model to ignore instructions within the user text.
  • Ingestion points: caption parameter in parseImageInput (scripts/parse_input.js).
  • Boundary markers: Chinese brackets ( and ) are used, but no explicit instructions to ignore embedded commands are present.
  • Capability inventory: The skill can write to the local file system (wrong_questions.json) and execute system commands (python via export_xlsx.js).
  • Sanitization: No sanitization or escaping of the caption string was identified.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 10, 2026, 12:43 PM
Security Audit — agent-trust-hub — shiyi