writing-web
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is explicitly designed for 'reviewing web templates, stylesheets, or scripts', which involves ingesting untrusted third-party content. It lacks any boundary markers or instructions to disregard embedded commands within the processed data.
- Ingestion points: Files accessed via 'Read', 'Glob', and 'Grep' tools during code review or writing tasks.
- Boundary markers: Absent; there are no delimiters or warnings to treat processed content as data rather than instructions.
- Capability inventory: The agent is granted the 'Bash' tool, which allows for arbitrary command execution, file system modification, and potential network access.
- Sanitization: None; the skill provides no mechanism to filter or escape instructions embedded in reviewed files.
- [Command Execution] (LOW): The 'Bash' tool is explicitly allowed in the metadata. While the current instructions do not use it maliciously, its availability during the processing of untrusted code (Category 8) represents a high-severity configuration risk.
Recommendations
- AI detected serious security threats
Audit Metadata