duende-docs
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is designed to scrape documentation content from official sources at
docs.duendesoftware.com. Specifically, it targets thellms-full.txtendpoint to maintain a local canonical store. This is the primary function of the skill and uses a trusted vendor domain. - [COMMAND_EXECUTION]: The skill utilizes Python scripts and the
Bashtool to perform maintenance tasks.duende_docs_api.pyexecutes internal scripts likerefresh_index.pyusingsubprocess.run. These executions are limited to the skill's own directory and are used for index management. - [PROMPT_INJECTION]:
SKILL.mdcontains strict operational instructions intended to override default AI agent tendencies that could lead to technical failure. These include constraints against usingcd &&in PowerShell to avoid path doubling and a prohibition on using theread_filetool on the largeindex.yamlfile to prevent context-limit errors. These are legitimate reliability guardrails rather than malicious injections. - [PROMPT_INJECTION]: An indirect prompt injection surface exists as the skill processes external documentation content.
- Ingestion points:
scripts/core/llms_full_parser.pyandscripts/core/scrape_docs.py(implied) ingest content from external URLs into the agent's environment. - Boundary markers: The parser uses
-----separators, but the instructions do not explicitly warn the agent to ignore instructions embedded within the documentation text. - Capability inventory: The skill has access to command execution via Python and
Bashtools. - Sanitization: Content is parsed for metadata, but there is no evidence of sanitization to filter out natural language instructions targeting the AI agent.
Audit Metadata