book-finder
Warn
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides shell command templates using
curl,grep, andheadthat incorporate variables such asQUERY,HASH, andURL. These variables are derived from user input (book titles) and external search results. If the agent executes these commands via a shell without strict escaping or sanitization of the interpolated strings, an attacker could potentially execute arbitrary commands on the system. - [EXTERNAL_DOWNLOADS]: The skill identifies and downloads files from several untrusted external domains, including shadow libraries like Libgen and Anna's Archive, as well as various public university servers. These sources are not verified and could host malicious payloads, malware, or deceptive files targeting the agent or the end user.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) because it ingests and processes untrusted data from the web to identify download links.
- Ingestion points: External search result pages from Libgen, Anna's Archive, and general web search queries.
- Boundary markers: Absent. The instructions do not direct the agent to treat external content as data only or to ignore instructions that might be embedded in the scraped text.
- Capability inventory: The skill possesses the ability to perform network requests (
curl), write to the local filesystem (/tmp/), and execute shell commands. - Sanitization: No sanitization or validation of the search results or extracted URLs is defined before they are used in subsequent processing or shell execution.
Audit Metadata