tiangong-kb-textbook-search
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the official vendor CLI package
@tiangong-ai/clifrom the NPM registry usingnpxat runtime. This resource is provided by the skill's author and is necessary for its core functionality. - [COMMAND_EXECUTION]: The wrapper script
textbook_search.shexecutes the CLI tool to perform searches. It parses user input withjqand uses Bash arrays for command construction, effectively preventing shell command injection vulnerabilities. - [PROMPT_INJECTION]: The skill processes untrusted data from user queries and external files, presenting a potential indirect prompt injection surface.
- Ingestion points: User-provided search strings (
query) and JSON configuration files (input_file) are loaded into the script's execution context. - Boundary markers: No explicit delimiters are used to wrap query strings in the command execution, but input is treated as a single argument.
- Capability inventory: The script can execute subprocesses via the Tiangong AI CLI and read local configuration files.
- Sanitization: Input is validated as valid JSON using
jq, and the use of Bash arrays for argument passing prevents the execution of arbitrary shell commands through input strings. - [DATA_EXFILTRATION]: The skill includes logic to load
.envfiles for configuration. This behavior is restricted to the directory of the provided input file and is used for standard credential management, with logic to mask credentials in dry-run mode.
Audit Metadata