ollama-rag
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Metadata Poisoning (MEDIUM): The skill documentation includes extensive references to 'Ollama Cloud' and a 'v0.12+' version of the Ollama CLI that does not exist as of late 2024. The inclusion of instructions for 'ollama signin' is a deceptive instruction that could be exploited in social engineering campaigns to trick users into providing credentials to a malicious CLI clone. This falls under Metadata Poisoning as it misrepresents the tool's actual capabilities and security model.\n- Indirect Prompt Injection Surface (LOW): The RAG patterns demonstrated in the code snippets are vulnerable to indirect prompt injection because they process untrusted data from PDFs and directory readers without implementing boundary markers or sanitization. \n
- Ingestion points: PyPDFLoader (SKILL.md), SimpleDirectoryReader (SKILL.md).\n
- Boundary markers: None present in prompt templates (e.g., in Option C).\n
- Capability inventory: File system read access and LLM prompt interpolation.\n
- Sanitization: No validation or filtering of retrieved content before prompt insertion.
Audit Metadata