crypt-librarian

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on executing various local Python and Bash scripts, such as crypt_db.py, generate_taste_seeds.py, and exa_film_search.py, to manage its film database and perform research. These scripts grant the agent control over the local environment to manage the films.json archive and log files.
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to the Exa AI API and the Reddit JSON API to retrieve film recommendations and lists. These operations fetch data from external, untrusted sources which are then processed by the agent in its workspace.
  • [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by ingesting external data while maintaining high-privilege capabilities such as shell access. Maliciously crafted content on the web (e.g., in a Letterboxd list or a Reddit post) could potentially influence the agent's behavior when it processes those search results.
  • Ingestion points: Web content and API responses from api.exa.ai and reddit.com are ingested into the agent context via exa_film_search.py and flexible_discovery.py.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the workflows for processing external data.
  • Capability inventory: The skill has the capability to execute local Python and Bash scripts, use file-editing tools for local JSON files, and run web scraping tools like firecrawl via the command line.
  • Sanitization: There is no evidence of sanitization or validation of the text retrieved from the internet before it is analyzed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — crypt-librarian