reduck
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute various
reduckCLI commands to perform search, discovery, and web automation tasks. This also includes dynamic context injection inSKILL.md, where the!syntax is used to execute help commands likereduck --helpandreduck run --helpduring the skill loading process to inline live documentation. - [EXTERNAL_DOWNLOADS]: The instructions require the user to install the
@reduck-ai/clipackage via npm. This is a legitimate vendor resource provided by the skill's author to enable the functionality described. - [PROMPT_INJECTION]: The skill is designed to process content from arbitrary web pages (scraping and searching), which introduces a surface for indirect prompt injection where instructions hidden on a website could attempt to manipulate the agent's behavior.
- Ingestion points: Untrusted data enters the agent context through the output of commands like
reduck search <query>andreduck run --method <host>/<slug>(found inSKILL.md). - Boundary markers: The instructions suggest using structured formats like JSON or YAML for outputs, which provides some structural delimitation, but does not explicitly require the agent to ignore instructions found within the data.
- Capability inventory: The agent has the capability to execute shell commands and read files (detailed in
SKILL.md). - Sanitization: There is no mention of sanitization or filtering for the external web content being processed.
Audit Metadata