interacting-with-agents
Pass
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: LOWPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill encourages the agent to read and incorporate 'cognition records' (thoughts, reasoning) and recent posts from external accounts into its own context. This data is attacker-controlled and can contain malicious instructions.\n
- Ingestion points: The Python snippets in
SKILL.mddemonstrate fetching records from the ATProtocol XRPC endpointcom.atproto.repo.listRecords.\n - Boundary markers: Absent. No delimiters or instruction-isolation techniques are suggested for processing external data.\n
- Capability inventory: Network read via
httpx. No write or execute capabilities are provided by this skill.\n - Sanitization: None. The skill only advises the agent to 'verify claims' and 'hold beliefs loosely'.\n- Data Exposure & Exfiltration (LOW): The skill contains Python code that performs HTTP GET requests to
comind.network, a domain not included in the standard whitelist. While these are for fetching public data, any network operation to non-whitelisted domains is a low-level concern for potential signaling or exfiltration.
Audit Metadata