paperclip-page
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
publish.shscript executes theawsCLI for S3 synchronization andcurlfor verifying the live status of the published URL. These are standard operations for a deployment tool and are implemented with proper input validation and shell quoting. - [DATA_EXFILTRATION]: While the skill's purpose is to transmit data to an external S3 bucket, it includes significant safeguards to prevent data exfiltration of sensitive material. The
assert_safe_source_treefunction inscripts/publish.shusesfindto detect and block the inclusion of hidden files or directories (dot-files) and symbolic links. This prevents the accidental upload of credentials or system configuration files. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes a user-provided local directory. However, this is well-mitigated by strict constraints: it requires a root
index.html, forbids hidden files, and validates URL slugs against a strict alphanumeric regex. These measures prevent the inclusion of malicious control files or path traversal attempts. - Ingestion points: Files within the user-specified source directory provided to
publish.sh(SKILL.md, scripts/publish.sh). - Boundary markers: The script explicitly prunes and excludes its own state directory (
.paperclip-page) and blocks all other hidden files. - Capability inventory: File system read access, network access via
aws s3 sync, and HTTP HEAD requests viacurl(scripts/publish.sh). - Sanitization: Slugs are normalized and validated against a restrictive regex; source tree is scanned for symlinks and hidden files prior to execution (scripts/publish.sh).
Audit Metadata