ctf-osint
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process data from uncontrolled external web sources.
- Ingestion points: The agent fetches content from the internet using
WebFetch,WebSearch, and variouscurlcommands mentioned inSKILL.md,social-media.md, andweb-and-dns.md. - Boundary markers: The instructions do not specify any delimiters or warnings to ignore embedded instructions in the fetched data.
- Capability inventory: The skill allows the use of powerful tools such as
Bashfor shell command execution andWrite/Editfor file system modifications. - Sanitization: There is no evidence of sanitization or filtering logic applied to external content before it is processed by the agent.
- [DATA_EXFILTRATION]: The skill contains instructions for the agent to access sensitive local data, specifically browser history databases and system event logs (e.g.,
Security.evtx). While this is presented as a legitimate forensic technique for CTF challenges (e.g., identifying past searches or account renames), it involves the ingestion of private user data into the agent context. - [COMMAND_EXECUTION]: The skill relies on the execution of numerous standard command-line utilities for network and file analysis, including
dig,whois,nmap,exiftool, andidentify. These are used appropriately for the skill's stated purpose. - [EXTERNAL_DOWNLOADS]: The skill interacts with reputable OSINT and archival services, including Shodan, the Wayback Machine, and public APIs for platforms like BlueSky and Tumblr. These network operations are consistent with OSINT reconnaissance and target well-known services.
Audit Metadata