agent-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill provides templates for agents (Support Triage, Sales Qualification, Marketing Coordinator) that ingest untrusted external data.
- Ingestion points: SKILL.md identifies 'Ticket text', 'Inbound form', and 'Marketing brief' as primary inputs from external sources.
- Capability inventory: Templates grant tools including
Write,Edit, andBashto agents processing this untrusted data. Specifically, the 'Ops Checklist Agent' is suggested to useBashon system data, and the 'Marketing Coordinator' usesWriteandEditon campaign briefs. - Sanitization: No boundary markers, delimiters, or explicit sanitization instructions are provided in the skill to prevent the AI from obeying instructions embedded within that data.
- External Script Execution (MEDIUM): The skill directs users to execute shell scripts that perform system-level operations without providing the script contents for audit.
- Evidence: References to
scripts/setup-vps.shandscripts/deploy-agent.shfor configuring and deploying to a VPS. - Dependency Risks (LOW): The skill requires the installation of external packages.
- Evidence:
npm install @anthropic-ai/claude-agent-sdk express ws. - Status: Downgraded to LOW/INFO per [TRUST-SCOPE-RULE] because
@anthropic-aiis a trusted organization andexpress/wsare standard industry packages.
Recommendations
- AI detected serious security threats
Audit Metadata