crypt-librarian
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing various local Python and Bash scripts, such as
crypt_db.py,generate_taste_seeds.py, andexa_film_search.py, to manage its film database and perform research. These scripts grant the agent control over the local environment to manage thefilms.jsonarchive and log files. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to the Exa AI API and the Reddit JSON API to retrieve film recommendations and lists. These operations fetch data from external, untrusted sources which are then processed by the agent in its workspace.
- [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by ingesting external data while maintaining high-privilege capabilities such as shell access. Maliciously crafted content on the web (e.g., in a Letterboxd list or a Reddit post) could potentially influence the agent's behavior when it processes those search results.
- Ingestion points: Web content and API responses from
api.exa.aiandreddit.comare ingested into the agent context viaexa_film_search.pyandflexible_discovery.py. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the workflows for processing external data.
- Capability inventory: The skill has the capability to execute local Python and Bash scripts, use file-editing tools for local JSON files, and run web scraping tools like
firecrawlvia the command line. - Sanitization: There is no evidence of sanitization or validation of the text retrieved from the internet before it is analyzed by the agent.
Audit Metadata