Skills
NYC
skills/aktsmm/agent-skills/customer-workspace/Gen Agent Trust Hub

customer-workspace

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • PROMPT_INJECTION (LOW): Indirect Prompt Injection vulnerability through untrusted data ingestion. The skill instructs the agent to process external content such as Teams chats, emails, and Slack messages to populate an 'inbox' or generate meeting minutes.
  • Ingestion points: assets/inbox.prompt.md and assets/convert-meeting-minutes.prompt.md define logic for the agent to ingest external text snippets.
  • Boundary markers: Absent. The instructions do not define delimiters or specific 'ignore' directives to prevent the agent from executing instructions potentially embedded in the ingested text.
  • Capability inventory: The agent is given instructions to create folder structures and write files (e.g., {日付}/_議事録.md).
  • Sanitization: Absent. There is no logic provided to escape or validate the content extracted from the untrusted sources before it is used in file-writing operations.
  • COMMAND_EXECUTION (SAFE): The initialization script scripts/Initialize-CustomerWorkspace.ps1 performs standard file system operations using PowerShell.
  • Analysis: The script handles folder creation (New-Item), file copying (Copy-Item), and basic string replacement for templates. It does not invoke any network-facing commands (e.g., Invoke-WebRequest), does not use eval-style dynamic execution, and does not require elevated privileges (sudo/admin).
  • EXTERNAL_DOWNLOADS (SAFE): No external dependencies, package installations, or remote script executions were identified. The skill relies entirely on local assets and templates.
  • DATA_EXFILTRATION (SAFE): No suspicious network activity or access to sensitive local files (like SSH keys or AWS credentials) was detected. All file operations are restricted to the local workspace context.
  • CAT_7_METADATA_NOTE (SAFE): An automated scanner alert suggested a malicious URL in profile.md. However, analysis of the source template assets/_templates/customer-profile.md and the initialization script revealed no malicious URLs or blacklisted domains. The alert likely refers to a runtime artifact or is a false positive based on the provided source.
Recommendations
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 06:10 PM