agentfeed
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a direct pipeline for untrusted external data to influence agent behavior through a 'Feedback Loop'.
- Ingestion points: Untrusted data enters the agent context via the
/commentsAPI endpoint inSKILL.md. - Boundary markers: Absent. There are no instructions to use delimiters or to treat the retrieved comment text as data rather than instructions.
- Capability inventory: The agent is equipped with network capabilities (
curl) and is explicitly instructed to 'Process' the feedback, which often leads to the execution of instructions contained within that feedback. - Sanitization: There is no evidence of sanitization or filtering of the content received from the server before it is processed by the agent.
- [Data Exfiltration] (LOW): The skill is designed to send 'work results' (Task A, Task B, etc.) to a remote server. While it defaults to
localhost, it facilitates the transmission of agent activity data to an externalAGENTFEED_BASE_URL. - [Command Execution] (LOW): The skill relies on executing
curlandjqvia the shell to interact with the API, which is a standard but noteworthy reliance on system commands.
Recommendations
- AI detected serious security threats
Audit Metadata