newsletter-digest
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from external RSS feeds which are then summarized by the AI.
- Ingestion points: The
scripts/fetch-feeds.jsscript fetches content from URLs defined infeeds.json. - Boundary markers: Absent. The synthesis prompt in
SKILL.md(Step 4) interpolates article content directly into the instruction block without robust delimiters to distinguish source data from instructions. - Capability inventory: The agent can execute shell commands via Node.js scripts and has file system access to read/write temporary JSON data.
- Sanitization:
scripts/fetch-feeds.jsperforms basic HTML stripping for excerpts, but no sanitization or escaping is performed on the text to prevent embedded prompt instructions from influencing the LLM. - [COMMAND_EXECUTION]: The skill executes local JavaScript files using Node.js to perform core logic. Notable findings include:
- Hardcoded paths:
SKILL.mduses absolute paths (e.g.,/Users/ksd/Desktop/Varnan_skills/newsletter-digest/) for script execution and file checks, which may cause errors or path traversal risks in different environments. - Verification logic: The agent is instructed to run
node -eto manually parse and verify the JSON output of the fetch script. - [EXTERNAL_DOWNLOADS]: The skill programmatically fetches data from external RSS/Atom feed URLs specified in the
feeds.jsonconfiguration file.
Audit Metadata