interview
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a significant attack surface for indirect prompt injection due to its core workflow of processing external file content followed by file system write operations.
- Ingestion points: The workflow explicitly starts by reading a file path provided in the argument (
[path/to/plan.md]) inSKILL.md. - Boundary markers: The instructions do not define any delimiters or system-level constraints to prevent the agent from obeying instructions embedded within the ingested plan file.
- Capability inventory: The skill has the capability to read files and then write back to the file system (
Write the refined spec back to the file). This allows a successful injection to persist or escalate by modifying local project data. - Sanitization: No validation, escaping, or filtering of the file content is specified before the agent processes it or incorporates it into the final write operation.
Recommendations
- AI detected serious security threats
Audit Metadata