lx-block
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is entirely dependent on executing the
lxCLI to interact with the Lexiong platform. It provides complex command patterns, including the use of shell-like loops and variable interpolation (e.g., usingjqto parse block IDs and iterating over them to execute updates). - [PROMPT_INJECTION]: The skill facilitates Indirect Prompt Injection (Category 8) by ingesting untrusted data from an external knowledge base that is subsequently processed by the agent.
- Ingestion points: Content is read into the agent's context using tools such as
lx block find,lx block get, andlx block export(as described inSKILL.mdandreferences/block-advanced.md). - Boundary markers: The instructions do not specify the use of delimiters or specific system instructions to prevent the agent from obeying commands embedded within the retrieved document blocks.
- Capability inventory: The skill provides highly capable modification tools including
lx block update,lx block delete, andlx block replace-sectionwhich can be leveraged if the agent is misled by data-embedded instructions. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the knowledge base before it is used to influence the agent's decisions.
- [SAFE]: No obfuscation, multi-layer encoding, or hidden content was found in the provided files. The skill correctly identifies itself as a tool for a specific vendor service ('tencent-lexiang') and uses resources consistent with that identity.
- [SAFE]: The skill includes explicit security boundaries, instructing the agent to switch to other specialized skills for operations like creating new pages or pushing changes to Git, which demonstrates a principle of least privilege in its design.
Audit Metadata