wiki-audit
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it ingests untrusted data from wiki pages and source files and passes it to subagents for processing.
- Ingestion points: The agent reads wiki pages (
wiki/pages/<slug>.md) and raw source files located inraw/orassets/(SKILL.md, Sections 1 and 3). - Boundary markers: The instructions do not specify any delimiters (e.g., XML tags, triple backticks) or "ignore embedded instructions" directives when passing untrusted content to subagents.
- Capability inventory: The agent has the capability to read any file on the system (via the resolution logic), write new files (audit reports), and modify existing wiki pages (applying fixes) based on the subagent's output.
- Sanitization: There is no mention of sanitizing or validating the content of the wiki pages or the source files before processing.
- [DATA_EXFILTRATION]: The citation resolution logic contains a path traversal vulnerability that could lead to unauthorized data exposure.
- Evidence: In Phase B (SKILL.md, Section 3), the skill instructs the agent to resolve targets starting with
raw/orassets/by reading the file "directly." If a malicious wiki page contains a footnote such as[^1]: raw/../../.ssh/id_rsa, the agent may attempt to read sensitive system files outside of the intended wiki directory because there are no instructions to sanitize the path or prevent directory traversal (e.g., checking for..).
Audit Metadata