lead-research-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill instructs the agent to analyze external web content (job postings, tech stacks, and company news) and local source code without any boundary markers or instructions to ignore embedded commands.
- Ingestion points: Web search results, job boards, company websites, and the local repository's source files.
- Boundary markers: Absent. The instructions do not define delimiters or warn the agent against instructions embedded in the data it is analyzing.
- Capability inventory: The skill utilizes file-reading (codebase analysis) and external web searching. It makes high-impact decisions (prioritizing leads and suggesting outreach) based on this data.
- Sanitization: Absent. There is no requirement to filter or validate content retrieved from the web or the repository before processing.
- [Data Exposure] (HIGH): The instruction to 'analyze the codebase to understand the product' is overly broad and lacks constraints.
- Evidence: Step 1 explicitly directs the agent to 'analyze the codebase' if run in a code directory.
- Risk: Without explicit exclusion lists (e.g., ignoring
.env,secrets.json, orid_rsa), the agent may ingest sensitive credentials or private configuration files and inadvertently include them in its summaries or transmit them via web searches during the 'Research' phase.
Recommendations
- AI detected serious security threats
Audit Metadata