Skills
skills/andy160675/sovereign-skills-season1/person-intelligence-osint/Gen Agent Trust Hub

person-intelligence-osint

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH risk primarily due to its susceptibility to prompt injection and its design to process and synthesize untrusted external content. The direct embedding of user input into search queries and the subsequent processing of arbitrary web content create significant attack vectors.

Total Findings: 3

🔴 HIGH Findings: • Prompt Injection

  • SKILL.md: The skill directly embeds user-provided inputs (person_name, job_title, company_name) into search tool queries (e.g., "{{person_name}}" "{{company_name}}" site:linkedin.com). This is a direct prompt injection vector, allowing an attacker to craft malicious inputs to manipulate the search tool's behavior or subsequent LLM processing. Additionally, the skill synthesizes content from arbitrary external websites into a final dossier. If this external content contains malicious instructions, it poses a significant indirect prompt injection risk when the dossier is later processed by an LLM.

🟡 MEDIUM Findings: • Arbitrary Web Content Browsing

  • SKILL.md: In Step 4, the skill uses browser_navigate to visit arbitrary URLs identified by the search tool (e.g., news articles, social media profiles). Browsing untrusted external websites carries inherent risks, such as exposure to malicious web content, potential drive-by downloads, or other web-based attacks if the browser tool has vulnerabilities. This is categorized as 'EXTERNAL_DOWNLOADS' due to fetching content from unverified external sources.

🔵 LOW Findings: • Access to Sensitive User Data

  • SKILL.md: In Step 6, the skill conditionally uses gmail_search_messages and slack_search_public_and_private to search for correspondence or mentions of the subject. While this functionality is explicitly stated and conditional on user integration, it involves accessing potentially sensitive private user data. Although the data is intended for the user and not directly exfiltrated to an external attacker, it represents a high-privilege operation that could be misused if the skill itself were compromised.

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 06:53 PM