karpathy-llm-wiki
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing untrusted data.
- Ingestion points: Untrusted data enters the agent context via placeholders in SKILL.md such as '[PASTE RAW CONTENT]', '[NEW_INFO]', and the weekly reading list in the 'Weekly Ingest Prompt'.
- Boundary markers: The prompt templates in SKILL.md rely on simple labels (e.g., 'Existing page content:') rather than robust delimiters or explicit warnings to ignore instructions found within the variable content.
- Capability inventory: As described in SKILL.md, the agent possesses capabilities for file system access (reading, writing, and updating markdown files in an Obsidian vault) and potentially network access to fetch source articles.
- Sanitization: There is no evidence in SKILL.md of sanitization, validation, or escaping logic to prevent malicious content within ingested sources from influencing the agent's actions or accessing the local wiki data.
Audit Metadata