madai-investigator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Data enters the context via
mcp__MadAI_Prod__get_zendesk_ticketandmcp__MadAI_Prod__get_jira_ticketinSKILL.md. - Boundary markers: Absent; there are no instructions or delimiters to prevent the agent from following instructions embedded within the ticket content.
- Capability inventory: The skill has access to
execute_redshift_query,execute_postgres_query, andget_github_tenant_config_file_content. - Sanitization: Absent; the workflow relies on interpreting ticket content to drive subsequent tool calls.
- [COMMAND_EXECUTION] (LOW): The skill enables arbitrary SQL execution through model-generated queries.
- Evidence: Tools
mcp__MadAI_Prod__execute_redshift_queryandmcp__MadAI_Prod__execute_postgres_queryallow the agent to run free-form SQL. - Risk: While necessary for the primary purpose of investigation, this capability could be abused if an attacker places a malicious SQL payload in a support ticket that the agent then executes.
- [DATA_EXFILTRATION] (LOW): The skill has broad read access to sensitive internal infrastructure.
- Evidence: Access to Datadog logs, GitHub configuration files, and production databases.
- Context: This access constitutes a high-impact surface for data exposure if the agent's logic is subverted by a malicious ticket.
Audit Metadata