reconnaissance
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): Indirect Prompt Injection vulnerability identified. The skill's core workflow involves processing untrusted external data (GitHub repositories, arXiv papers) and synthesizing it into decision-making artifacts.
- Ingestion points: Data is pulled from external URLs and APIs as shown in 'example-1-technology-recon.md' and 'example-3-paper-extraction.md'.
- Boundary markers: The methodology and output templates in 'references/output-templates.md' and 'references/recon-methodology.md' do not define clear delimiters or instructions to prevent the agent from obeying commands embedded within researched materials.
- Capability inventory: The skill possesses file-writing capabilities (creating analysis reports in the project root) and state persistence via 'memory-mcp', which directly informs downstream 'research-driven-planning'.
- Sanitization: No logic is present to sanitize or escape external content before it is interpolated into system prompts for synthesis.
- DYNAMIC_EXECUTION (MEDIUM): The skill documentation in 'resources/README.md' specifies that JavaScript and Python scripts (e.g., 'validate-extraction.js') are 'automatically loaded' and executed. This creates a risk if an attacker can influence the files placed in the resources directory or if computed paths are used without validation.
Recommendations
- AI detected serious security threats
Audit Metadata