feature-investigation
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
- Ingestion points: The skill uses
WebFetchandWebSearchtools to ingest data from external URLs and search results into the agent's context (SKILL.md). It also reads local codebase files usingRead,Grep, andGlob. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands within fetched content are provided in the skill definition.
- Capability inventory: The skill possesses the
Tasktool (potential command execution),TodoWrite(file modification), and network access viaWebFetch. - Sanitization: There is no evidence of sanitization, escaping, or validation of external content before it is processed or summarized.
- [COMMAND_EXECUTION]: The
allowed-toolssection includes theTasktool. While the skill's instructions repeatedly state that it is a 'READ-ONLY investigation skill' and that the agent should 'NOT implement or fix anything', the inclusion of theTasktool provides a technical path for executing shell commands or automated tasks which contradicts the stated safety boundaries. - [EXTERNAL_DOWNLOADS]: The skill explicitly allows
WebFetchandWebSearchto retrieve data from the public internet. While these are used for 'discovery searches', they allow the agent to connect to non-whitelisted and potentially untrusted external domains.
Audit Metadata