read
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill operates by ingesting and processing untrusted content from external web URLs and PDF files, which is a known attack surface for indirect prompt injection. However, it incorporates robust mitigations. \n
- Ingestion points: Untrusted data enters the agent context through URLs, PDFs, WeChat articles, and Feishu documents (SKILL.md, references/read-methods.md).\n
- Boundary markers: The skill uses structured output templates (Source, URL, Summary, Details) to isolate metadata from the extracted document body (SKILL.md).\n
- Capability inventory: The skill uses
curl,python3,npx, and theghCLI to fetch and transform document content (scripts/fetch.sh, references/read-methods.md).\n - Sanitization: There are explicit 'Hard Rules' in the instructions commanding the agent to treat fetched content as data rather than instructions, and to specifically ignore and report any role-play or instruction-overriding attempts found within the content, such as 'ignore previous instructions' (SKILL.md).\n- [EXTERNAL_DOWNLOADS]: The skill fetches document data from remote sources. It employs a proxy cascade involving services like
defuddle.mdandr.jina.aito handle extraction from difficult pages. It also utilizesraw.githubusercontent.comfor direct file access. These external references are standard for the skill's primary functionality (scripts/fetch.sh, SKILL.md).\n- [COMMAND_EXECUTION]: The skill relies on command-line tools to perform its tasks, includingcurlfor network fetching,python3for running extraction scripts, andnpxfor Node-based tools. It also integrates with theghCLI for accessing GitHub repositories. These operations are consistent with the documented purpose of document processing and summarization (references/read-methods.md).
Audit Metadata