shiyi
Warn
Audited by Gen Agent Trust Hub on Jun 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/export_xlsx.jsdynamically generates a Python script at runtime to facilitate Excel exports with embedded images. This script is written to a temporary location and executed viachild_process.execFileusing the host'spython3orpythoninterpreter. This pattern of runtime code generation and execution constitutes a dynamic execution risk. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in
scripts/parse_input.js. User-provided captions for image uploads are interpolated directly into the prompt sent to the vision model:${prompt}\n\n用户附带说明:「${caption}」. This lacks robust boundary markers or safety instructions for the model to ignore instructions within the user text. - Ingestion points:
captionparameter inparseImageInput(scripts/parse_input.js). - Boundary markers: Chinese brackets (
「and」) are used, but no explicit instructions to ignore embedded commands are present. - Capability inventory: The skill can write to the local file system (
wrong_questions.json) and execute system commands (pythonviaexport_xlsx.js). - Sanitization: No sanitization or escaping of the
captionstring was identified.
Audit Metadata