company-deep-dive
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the @nimbleway/cli tool, which is installed from the official npm registry during the onboarding process. This is a standard installation of a vendor-owned resource necessary for the skill's operation.\n- [INDIRECT_PROMPT_INJECTION]: The skill fetches and processes public web data to generate reports, which is its primary function but also creates a potential attack surface for indirect prompt injection.\n
- Ingestion points: Web search results (nimble search) and extracted page content (nimble extract) processed in SKILL.md (Steps 3 and 4).\n
- Boundary markers: The skill uses structured report templates but lacks explicit delimiters or instructions to ignore embedded commands within the retrieved external content.\n
- Capability inventory: The skill can read and write to a dedicated local directory (~/.nimble/), execute specific bash commands (nimble, python3), and spawn sub-agents.\n
- Sanitization: No explicit content sanitization or filtering logic for external data is mentioned in the instructions.
Audit Metadata