mapping-suite
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/compile-combined.shexecutes several system utilities includingfind,yq,python3,pandoc, andbase64. It also uses a Python heredoc to dynamically execute parsing logic on manifest data. - [DATA_EXFILTRATION]: The orchestration script includes a
--bannerparameter that reads the content of a specified local file and encodes it into a Base64 data URL within the final HTML report. This functionality allows for the potential reading and exposure of sensitive system files. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through its report aggregation process. \n
- Ingestion points: The skill processes the
suite.yamlmanifest,suite-scope.mddocument, and output artifacts (HTML/Markdown) from multiple sibling skills. \n - Boundary markers: Only basic HTML character escaping is implemented for specific manifest fields. \n
- Capability inventory: The
compile-combined.shscript has permissions to read files, write to the local directory, and execute sub-processes. \n - Sanitization: Sanitization is limited to a simple character replacement function in the bash script, which may not be sufficient to prevent malicious content from sibling skills from influencing the final combined navigation artifact.
Audit Metadata