multi-ai-research
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill has an attack surface for indirect prompt injection via the research-agent which uses untrusted inputs. 1. Ingestion points: subagents/research-agent.md uses web_search and read tools to gather info. 2. Boundary markers: Absent; subagent instructions lack explicit delimiters or instructions to disregard embedded commands in retrieved data. 3. Capability inventory: Subagents are restricted to read, grep, glob, and web_search. 4. Sanitization: Absent; no validation of external content is performed.
- [External Downloads] (LOW): README.md recommends installing global NPM packages from @google and @openai scopes. Per the TRUST-SCOPE-RULE, these are treated as low risk due to trusted organization ownership.
- [Command Execution] (LOW): The skill documentation references a missing orchestration script (scripts/analyze.sh) and local CLIs (gemini, codex) for execution.
Audit Metadata