newsletter-to-social
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection vulnerability. The skill processes external, untrusted content (newsletters/blog posts via URL) and uses it to drive the logic of parallel sub-agents.
- Ingestion points: Phase 1 extracts snippets from newsletters provided via user input or URL.
- Boundary markers: Absent. The sub-agent prompt pattern
SNIPPET: [extracted snippet]lacks delimiters or instructions to ignore embedded commands within the untrusted content. - Capability inventory: The skill can read local files in
Studio/Nearbound Pipeline/people/, invoke other skills likex-posting, and post to the#content-inboxSlack/messaging channel. - Sanitization: No evidence of sanitization or filtering of the extracted snippets before they are used to generate social media drafts.
- [DATA_EXFILTRATION] (SAFE): The skill accesses local files at a hardcoded path (
Studio/Nearbound Pipeline/people/) to retrieve handle information. While this involves reading local data based on names extracted from newsletters, it is a core feature for the intended 'Nearbound' functionality and does not show malicious exfiltration patterns.
Audit Metadata