Skills
skills/rohitg00/pro-workflow/wiki-builder/Gen Agent Trust Hub

wiki-builder

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: Arbitrary file read capability through CLI tool.
  • Evidence: The page command in scripts/wiki-cli.js utilizes fs.readFileSync on a path supplied via the --from-file argument. This allows the agent to read any file on the host system accessible to the user, potentially exposing sensitive files like ~/.ssh/id_rsa or .env if the agent is manipulated via prompt injection.
  • [PROMPT_INJECTION]: Vulnerability to indirect prompt injection during source ingestion.
  • Ingestion points: The skill processes untrusted external content stored in the raw/ directory using templates like templates/prompts/compile-source-page.md.
  • Boundary markers: The prompts lack delimiters or explicit instructions to the model to ignore embedded commands within the source material.
  • Capability inventory: The skill can write files to the local file system and update a SQLite search index via scripts/wiki-cli.js.
  • Sanitization: No sanitization or validation is performed on the ingested source content before it is interpolated into prompts for the agent.
  • [COMMAND_EXECUTION]: Susceptibility to sed script injection during wiki initialization.
  • Evidence: In scripts/init_wiki.sh, the render function uses sed with a | delimiter to replace placeholders: sed -e "s|{{TITLE}}|$title|g". Since the $title variable is expanded directly within the sed command string, a title containing | could be used to inject additional sed commands, potentially altering the generated wiki configuration or templates.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 12:22 PM