Skills
skills/davidgeorgehope/elasticsearch-skill/elasticsearch/Gen Agent Trust Hub

elasticsearch

Pass

Audited by Gen Agent Trust Hub on Feb 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to use curl for network requests, jq for parsing JSON responses, printenv to retrieve API keys from environment variables, and cat for writing configuration files. These commands are used to facilitate standard Elasticsearch and Kibana operations.
  • [EXTERNAL_DOWNLOADS]: The documentation references an installation process that involves cloning the skill repository from the author's GitHub account (https://github.com/davidgeorgehope/elasticsearch-skill.git). This is a vendor-owned resource.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from Elasticsearch search results (e.g., log bodies and document content).
  • Evidence Chain for Indirect Prompt Injection:
  • Ingestion points: Data enters the agent context through curl responses from API endpoints such as _search and _query.
  • Boundary markers: No explicit delimiters or isolation instructions are provided to distinguish between the agent's instructions and the retrieved data.
  • Capability inventory: The agent has access to curl, jq, cat, and printenv.
  • Sanitization: The skill does not include steps to sanitize, escape, or validate the content retrieved from the remote cluster before processing it.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 26, 2026, 08:46 PM