marketing-writer
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by requiring the agent to ingest untrusted data from project repositories to determine marketing context. \n- Ingestion points: The workflow in SKILL.md mandates reading README.md, package.json, project documentation, and scanning entire source directories like /src and /pages. It also utilizes the github:get_file_contents tool to fetch content from arbitrary user-provided URLs. \n- Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between data to be analyzed and potential instructions embedded within the files. \n- Capability inventory: The agent is granted the capability to use file-system read tools and repository access tools. \n- Sanitization: No validation or sanitization of the ingested content is performed before processing. \n- [DATA_EXFILTRATION]: The skill promotes the exposure of sensitive technical information. It explicitly directs the agent to 'Examine database schemas' and 'Scan main application files' to extract feature details. This practice can lead to the unintended exposure of proprietary logic, architectural secrets, or internal metadata to the model context. \n- [COMMAND_EXECUTION]: The skill workflow relies on the execution of file-system and repository interrogation tools to perform project analysis. While these are necessary for the skill's primary purpose, they represent a high-privilege access pattern over the project environment.
Audit Metadata