deep-research
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection via the ingestion of untrusted external content.
- Ingestion points: The skill uses
exa-toolsto fetch data from the live web (File: SKILL.md, Section [1][ORIENT]). - Boundary markers: While sub-agent prompts use structured blocks (Scope, Objective, Output), they lack robust delimiters or specific instructions to ignore malicious directives embedded within the fetched web content.
- Capability inventory: The main agent has the capability to write the synthesized research findings to the local file system via the
OutputPathparameter (File: SKILL.md, Section [5][CRITIQUE_2]). - Sanitization: The 'Critique' phases filter for content quality and focus but do not perform security sanitization to strip or neutralize potential instruction injections found in web search results. An attacker could host a website with hidden instructions that the sub-agents might follow during the research rounds.
Recommendations
- AI detected serious security threats
Audit Metadata