person-intelligence-osint

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill claims to conduct "open-source/public" OSINT but explicitly instructs searching private Gmail and Slack integrations (private messages/mentions) and syncing internal files, which is a misaligned and potentially deceptive capability outside the stated public-only scope.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly uses search and browser_navigate to fetch and extract content from open public sources—notably LinkedIn, news sites, Twitter/X, Facebook, GitHub, personal blogs and arbitrary search result URLs—so the agent will read and ingest untrusted, user-generated third-party content as part of its workflow.