Skills
skills/kfchou/wiki-skills/wiki-ingest/Gen Agent Trust Hub

wiki-ingest

Pass

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external URLs and local files without sanitization or boundary markers.
  • Ingestion points: Untrusted data enters the agent context via user-provided file paths, external URLs (fetched via browse skill), and pasted text as described in Step 1 of SKILL.md.
  • Boundary markers: The instructions lack delimiters (e.g., XML tags or triple quotes) or 'ignore embedded instructions' warnings for the ingested content, explicitly mandating the agent 'Read all content... Do not skip' in Step 2.
  • Capability inventory: The skill possesses extensive file system capabilities, including reading SCHEMA.md and all files in wiki/pages/, and writing/updating multiple files such as wiki/pages/<slug>.md, wiki/index.md, wiki/overview.md, and wiki/log.md.
  • Sanitization: No validation or filtering is performed on the ingested content before it is used to generate summaries and update entity pages.
  • [DATA_EXFILTRATION]: The skill allows the agent to read any user-provided 'File path'.
  • Evidence: Step 1 in SKILL.md instructs the agent to 'read it directly' and 'copy to raw/' for any provided file path. This capability could be exploited to ingest sensitive local files (e.g., SSH keys, credentials, or configuration files) into the wiki structure or disclose them in the agent's summary output.
Audit Metadata
Risk Level
SAFE
Analyzed
May 2, 2026, 08:50 PM