PromptInjection
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): Mandatory execution of 'curl' commands to 'http://localhost:8888/notify' on every workflow invocation in 'SKILL.md' and workflow files. This uses shell execution to perform non-standard network notifications.
- EXTERNAL_DOWNLOADS (MEDIUM): Documentation in 'AutomatedTestingTools.md' instructs users to install external packages 'promptfoo', 'garak', and 'PyRIT' which are not from trusted organizations.
- REMOTE_CODE_EXECUTION (MEDIUM): The logic in 'SKILL.md' dynamically loads and applies overrides from a variable path in the user's home directory ('~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/PromptInjection/').
- PROMPT_INJECTION (LOW): Contains an extensive library of prompt injection and jailbreak payloads in 'Workflows/DirectInjectionTesting.md'.
- INDIRECT_PROMPT_INJECTION (LOW): Facilitates indirect prompt injection through surfaces like file uploads and web scraping. Ingestion points: 'Workflows/IndirectInjectionTesting.md'. Boundary markers: Absent. Capability inventory: 'curl', 'browser' MCP tools, and file writing. Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata