Skills
skills/tencentcloudbase/cloudbase-mcp/docs-workflows/Gen Agent Trust Hub

docs-workflows

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute local project scripts (e.g., node scripts/fix-config-hardlinks.mjs, npm run build:prompts-data) and command-line utilities like gh (GitHub CLI) and curl to manage project configuration and automate issue creation.
  • [EXTERNAL_DOWNLOADS]: The agent is guided to access well-known external platforms (Juejin, Bilibili) using browser tools and APIs to fetch article and video metadata. It also downloads image assets using curl and downloadRemoteFile for inclusion in the project's documentation.
  • [DATA_EXFILTRATION]: Assets fetched from the web are uploaded to the project's own cloud storage using the manageStorage tool. No sensitive project data is sent to unauthorized third parties.
  • [PROMPT_INJECTION]: The skill processes untrusted content from external websites (article titles, video descriptions), creating an indirect prompt injection surface. Evidence: (1) Ingestion points: references/add_article_tutorial.md, references/add_video_tutorial.md. (2) Boundary markers: Absent. (3) Capability inventory: Subprocess calls (node, npm, gh) and file-write operations. (4) Sanitization: Missing, though the skill provides quality checklists for manual verification of imported content.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 09:45 AM