note-article
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using
sips,ffmpeg, andffprobefor media processing tasks, such as cropping images to specific aspect ratios and converting video clips to GIFs. - [EXTERNAL_DOWNLOADS]: The skill references and depends on an external MCP server,
note-mcp, hosted in a public GitHub repository (drillan/note-mcp). - [PROMPT_INJECTION]: The skill ingests untrusted user data, including article themes, target audiences, and media files, which are used to generate content and metadata for publication. This creates a surface for indirect prompt injection.
- Ingestion points: User-provided themes, targets, goals, and video files are processed in
SKILL.md(Step 1 and Step 6.5). - Boundary markers: The templates in
templates/article.mduse basic placeholders but do not include explicit security delimiters to isolate user-generated content from system instructions. - Capability inventory: The skill can perform network operations via
note-mcptools (creating drafts, uploading images, publishing articles) and execute shell commands viaffmpegandsips. - Sanitization: No explicit sanitization or validation of user-provided strings or file metadata is mentioned before interpolation into prompts or shell commands.
- [SAFE]: Security is enhanced by mandatory manual verification steps (Step 2 and Step 8), ensuring the user reviews the article structure and provides explicit permission before any content is published live.
Audit Metadata