epist
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
epistCLI tool to manage a local SQLite database, a Git repository, and vector embeddings. It involves frequent execution of shell commands for initializing, adding, searching, and deleting knowledge base entries. - [DYNAMIC_EXECUTION]: The skill explicitly integrates with Quarto, which renders documents containing executable code blocks (Python, R, etc.). This allows the agent to run arbitrary local code via
quarto renderto perform data analysis and generate visualizations, which is a powerful capability that requires careful monitoring. - [DATA_EXFILTRATION]: The
epist mcpcommand starts a Model Context Protocol server that exposes the entire epistemological knowledge base to the AI agent's context. While intended for retrieval, this provides a mechanism for the agent to access and potentially transmit large amounts of structured data stored in the.epist/directory. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
- Ingestion points: Data is ingested through the
epist add factandepist add conclusioncommands inSKILL.md. - Boundary markers: The system does not specify any boundary markers or instructions to ignore embedded commands within retrieved facts.
- Capability inventory: The agent can execute shell commands, run Python code via Quarto, and perform file system operations across all scripts.
- Sanitization: There is no mention of sanitizing or escaping the content of facts before they are retrieved and processed by the agent during
epist searchorepist getoperations.
Audit Metadata