Skills
skills/constructive-io/constructive-skills/pgvector-rag/Gen Agent Trust Hub

pgvector-rag

Pass

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a vulnerability to Indirect Prompt Injection within its RAG implementation.
  • Ingestion points: External data is ingested into the PostgreSQL database through scripts/seed-documents.sh and the DocumentIngester class defined in references/embeddings.md.
  • Boundary markers: In references/agentic-kit.md (the buildMessages function) and references/rag-pipeline.md, retrieved context is prepended to user queries with only a simple 'Context:' header. There are no robust delimiters or system instructions explicitly telling the model to ignore instructions embedded within the retrieved context.
  • Capability inventory: The RAG service possesses network communication capabilities (via cross-fetch to Ollama) and full database access (via pg Pool), allowing a successful injection to potentially influence external API calls or database state.
  • Sanitization: Content is escaped for SQL (using sed in scripts or parameterized queries in TypeScript), but there is no sanitization of the natural language content to prevent it from hijacking the LLM's instruction flow.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 4, 2026, 10:02 AM