lead-research-assistant
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONNO_CODE
Full Analysis
- Data Exposure (MEDIUM): The skill explicitly instructs the agent to 'analyze the codebase' to understand the product value proposition. This grants the agent access to potentially sensitive local files, intellectual property, or environment configurations within the user's repository.
- Indirect Prompt Injection (MEDIUM): The skill's primary function involves ingesting data from untrusted external sources such as job postings, news articles, and company websites. These sources can be manipulated by attackers to include hidden instructions designed to hijack the agent's behavior (e.g., redirecting research results to an attacker-controlled endpoint).
- Ingestion points: External web search results (news, job postings, company sites) and local codebase analysis.
- Boundary markers: None. The instructions lack delimiters or specific warnings to ignore instructions embedded in the external content.
- Capability inventory: Capability to read local files (codebase) and a recommendation to save output to files (CSV export).
- Sanitization: None. The agent is not instructed to filter or sanitize external data before processing or outputting it.
- Metadata Poisoning (LOW): While the metadata is currently benign, the reliance on external research makes the skill vulnerable to poisoning if the research process is tricked into accepting malicious metadata from 'target' companies.
Audit Metadata