lead-research-assistant
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection (Category 8) due to its data-processing workflow.
- Ingestion points: The skill ingests untrusted data from the user's local codebase and external web sources (news, job postings, company websites) as described in the 'Research and Identify Leads' instructions in
SKILL.md. - Boundary markers: There are no instructions for the agent to use delimiters (e.g., XML tags or triple backticks) to isolate untrusted external content from its internal logic.
- Capability inventory: The agent is granted the capability to read local files ('analyze the codebase') and perform web searches to gather company data.
- Sanitization: No sanitization or validation of the ingested external content is performed before it is used to generate outreach strategies and conversation starters.
- Data Exposure & Exfiltration (SAFE): While the skill involves reading the local codebase to understand the product, there are no instructions or patterns suggesting that sensitive data is being exfiltrated to unauthorized third-party domains. The identified behavior is consistent with the skill's primary purpose of lead qualification.
- No Code (SAFE): The skill contains only instructional markdown (
SKILL.md) and no executable scripts, binaries, or configuration files, significantly reducing the attack surface for remote code execution or persistence.
Audit Metadata