clinical-trial-protocol-skill
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill specifically requests a 'Custom Protocol Template' (Step 2.5 in 00-initialize-intervention.md) and processes 'initial_context' which can include 'substantial documentation'. These are high-risk ingestion points for indirect prompt injection that could influence the agent's logic in subsequent protocol generation steps.
- [COMMAND_EXECUTION] (MEDIUM): In 05-concatenate-protocol.md (Step 2), the skill explicitly instructs the agent to use the
catcommand via a shell (cat ... > ...). While the paths appear static, this represents a pattern of direct shell interaction which can be exploited if input paths were ever made dynamic. - [EXTERNAL_DOWNLOADS] (LOW): The skill relies on external data from ClinicalTrials.gov and FDA guidance documents (Step 1). Per [TRUST-SCOPE-RULE], these are likely trusted sources, but the process of ingesting this unstructured external content into a generative pipeline creates an 'Indirect Prompt Injection' surface.
- [INDIRECT_PROMPT_INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points:
references/00-initialize-intervention.md(Step 2.5: user-provided template; Step 2: 'initial_context' from rich documentation; Step 1 in README: WebSearch for FDA guidance). - Boundary markers: None mentioned in the provided files to separate untrusted data from system instructions.
- Capability inventory: File system writes (JSON and MD), shell command execution (
cat), and complex decision-making (statistical power analysis usingscipy/numpy). - Sanitization: None described. The skill preserves 'rich context' for later phases without validation or filtering.
Recommendations
- AI detected serious security threats
Audit Metadata