leafmill
Fail
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes external markdown files which presents a surface for indirect prompt injection attacks. \n
- Ingestion point: The skill reads local markdown files via the
publish.shscript to transmit their content to the hosting server. \n - Boundary markers: No explicit boundary markers or instructions to the agent to treat the embedded content as untrusted were found in the instructions. \n
- Capability inventory: The skill has the ability to read local files and perform network operations via
curl. \n - Sanitization: No sanitization or validation of the markdown content is performed before it is processed or transmitted. \n- [REMOTE_CODE_EXECUTION]: The README.md file contains installation instructions recommending that users pipe a remote script directly to their shell (
curl -fsSL https://leafmill.net/install.sh | bash). This is a common but high-risk pattern for executing unverified remote code. \n- [DATA_EXFILTRATION]: The skill is designed to read the contents of local files and transmit them to an external domain (leafmill.net). While this is the intended functionality of the service, it represents a data transmission vector that requires user awareness, especially when processing sensitive documents.
Recommendations
- HIGH: Downloads and executes remote code from: https://leafmill.net/install.sh - DO NOT USE without thorough review
Audit Metadata