internal-comms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because its primary function is to aggregate and summarize untrusted data from multiple corporate sources. \n
- Ingestion points: The guideline files (
examples/3p-updates.md,examples/company-newsletter.md,examples/faq-answers.md) explicitly instruct the agent to read from Slack, Google Drive, Email, and Calendar. \n - Boundary markers: No delimiters or instructions are provided to help the agent distinguish between the skill's instructions and the potentially malicious instructions contained within the ingested data. \n
- Capability inventory: The skill possesses significant read capabilities across the enterprise environment and generates high-visibility outputs (company-wide newsletters, leadership updates). \n
- Sanitization: There is a total absence of sanitization or validation logic for the content retrieved from external tools.\n- Data Exposure (HIGH): The skill directs the agent to specifically target sensitive data sources, including executive communications, private team posts, and internal vision documents. This aggregation of sensitive data increases the impact of any successful prompt injection or data exfiltration attack.
Recommendations
- AI detected serious security threats
Audit Metadata