anysite-vc-analyst
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core workflow of processing untrusted external content.
- Ingestion points: Data enters the agent's context via
mcp__anysite__parse_webpage(startup websites),WebFetch(external links/documents),mcp__anysite__get_linkedin_profile(investor profiles), andWebSearch(portfolio and conflict checks). - Boundary markers: Absent. The skill provides no delimiters or specific instructions to the agent to treat external content as untrusted data rather than instructions.
- Capability inventory: The agent has the ability to read local files (
Read), perform network requests (WebFetch,WebSearch), and store sensitive state indata/investor_criteria.json. - Sanitization: Absent. Content from LinkedIn and arbitrary websites is used directly for decision-making (scoring) and content generation (outreach), allowing an attacker to manipulate these outputs or trigger the network tools to exfiltrate data.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on unverified MCP (Model Context Protocol) tools from the
anysiteprovider. These tools (mcp__anysite__parse_webpageandmcp__anysite__get_linkedin_profile) are not from a trusted source (e.g., Anthropic, OpenAI) and represent an unverified dependency that could be exploited if the MCP server is compromised. - [DATA_EXFILTRATION] (MEDIUM): The skill systematically collects sensitive business data including traction metrics (MRR), pitch decks, and financial stages. This data is written to a persistent file (
data/investor_criteria.json). The combination of sensitive data storage and network-capable tools (WebFetch,WebSearch) creates a high-risk path for data exfiltration if the agent's logic is subverted.
Recommendations
- AI detected serious security threats
Audit Metadata