capability-discovery
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it uses external, potentially untrusted descriptions to influence the agent's delegation and routing logic.
- Ingestion points: The discovery process reads metadata and descriptions from
.claude-plugin/plugin.json,agents/*.md, andcommands/*.mdwithin thePlugins/directory and its subdirectories. - Boundary markers: The skill does not implement boundary markers or instructions for the agent to ignore embedded commands or instructions within the retrieved plugin metadata.
- Capability inventory: The skill possesses the capability to delegate and route the entire agentic workflow to any discovered agent or command based on the scoring results.
- Sanitization: No sanitization or validation of the description content is performed; the skill relies solely on keyword scoring, which can be easily manipulated by an attacker to ensure a high match score for a specific capability.
Audit Metadata