skills/tw93/waza/read/Gen Agent Trust Hub

read

Pass

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill operates by ingesting and processing untrusted content from external web URLs and PDF files, which is a known attack surface for indirect prompt injection. However, it incorporates robust mitigations. \n
  • Ingestion points: Untrusted data enters the agent context through URLs, PDFs, WeChat articles, and Feishu documents (SKILL.md, references/read-methods.md).\n
  • Boundary markers: The skill uses structured output templates (Source, URL, Summary, Details) to isolate metadata from the extracted document body (SKILL.md).\n
  • Capability inventory: The skill uses curl, python3, npx, and the gh CLI to fetch and transform document content (scripts/fetch.sh, references/read-methods.md).\n
  • Sanitization: There are explicit 'Hard Rules' in the instructions commanding the agent to treat fetched content as data rather than instructions, and to specifically ignore and report any role-play or instruction-overriding attempts found within the content, such as 'ignore previous instructions' (SKILL.md).\n- [EXTERNAL_DOWNLOADS]: The skill fetches document data from remote sources. It employs a proxy cascade involving services like defuddle.md and r.jina.ai to handle extraction from difficult pages. It also utilizes raw.githubusercontent.com for direct file access. These external references are standard for the skill's primary functionality (scripts/fetch.sh, SKILL.md).\n- [COMMAND_EXECUTION]: The skill relies on command-line tools to perform its tasks, including curl for network fetching, python3 for running extraction scripts, and npx for Node-based tools. It also integrates with the gh CLI for accessing GitHub repositories. These operations are consistent with the documented purpose of document processing and summarization (references/read-methods.md).
Audit Metadata
Risk Level
SAFE
Analyzed
May 29, 2026, 06:30 PM
Security Audit — agent-trust-hub — read