agents-md-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8). The skill synthesizes untrusted repository content into a control document that directs future agent actions. 1. Ingestion points: README.md, CONTRIBUTING.md, Makefile, package.json, pyproject.toml, justfile, Dockerfile, and CI pipelines (SKILL.md). 2. Boundary markers: Absent; no delimiting or instruction-ignoring wrappers are defined. 3. Capability inventory: File-write access to create AGENTS.md at the repo root (SKILL.md), which serves as the instruction set for subsequent agents. 4. Sanitization: Absent; the agent is explicitly told to 'Record... commands exactly as documented'.
- [DATA_EXFILTRATION] (HIGH): The skill facilitates data exposure by accessing and documenting sensitive configuration paths (Category 2). It instructs the agent to capture 'env vars' and 'key configs' from sources like .env and CI pipeline files. While it does not include a network exfiltration command, the consolidation of this sensitive reconnaissance data into a root-level markdown file intended for version control creates a high risk of accidental exposure.
Recommendations
- AI detected serious security threats
Audit Metadata