debate
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it handles external data in its templates.
- Ingestion points: In
SKILL.md, user-providedtopicdata and responses from tool invocations (e.g.,{proposer_round1_response},{context_summary}) are directly interpolated into subsequent prompt rounds. - Boundary markers: The templates rely on simple labels and markdown separators (e.g.,
---), which do not provide robust isolation or explicit instructions for the AI to ignore embedded commands or behavioral overrides within the untrusted content. - Capability inventory: The skill leverages the
consultskill to perform model invocations based on these constructed prompts, allowing one tool's output to potentially influence the behavior of others. - Sanitization: No sanitization, escaping, or strict validation is applied to the data before it is inserted into the prompts.
- [PROMPT_INJECTION]: The skill instructions explicitly direct the AI to support claims using evidence such as "file path" and "code pattern". This creates an attack surface where a malicious topic or response could lead the model to attempt to access and reveal sensitive local paths or configurations as part of its argument.
Audit Metadata