ai-rag-pipeline

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the 'belt-sh/cli' tool using 'npx' and references installation instructions hosted on 'raw.githubusercontent.com/inference-sh/'. These resources are part of the core functionality for interacting with the inference.sh platform.
  • [COMMAND_EXECUTION]: The skill makes extensive use of shell command execution via the 'belt' CLI to perform web searches, content extraction, and LLM inference. These operations are scoped to the 'belt' binary in the frontmatter configuration.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests data from external web searches and URL extraction tools, which is then interpolated directly into LLM prompts.
  • Ingestion points: Untrusted data enters the context through variables like '$SEARCH_RESULT', '$CONTENT', and '$EVIDENCE' in 'SKILL.md'.
  • Boundary markers: No explicit delimiters or instructions are used to separate retrieved context from agent instructions.
  • Capability inventory: The skill possesses shell execution capabilities ('belt app run') which could be targeted by malicious content in retrieved data.
  • Sanitization: There is no evidence of filtering or sanitization of the external content before it is processed by the LLM.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 04:46 PM