external-system-safety
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (MEDIUM): The skill instructions include a hardcoded bypass for 'Linear' operations, explicitly telling the agent to 'NEVER ask for confirmation' for these actions. This overrides the safety constraints intended for external systems.
- Indirect Prompt Injection (HIGH): The skill's core function of processing external system writes presents a significant attack surface. (1) Ingestion points: The skill handles user-provided content for Jira, Confluence, and Slack writes. (2) Boundary markers: The skill uses visual separators like dashes but lacks programmatic delimiters to prevent embedded instructions in the content from being executed by the agent. (3) Capability inventory: The skill interacts with tools capable of write, update, and delete operations on multiple external platforms. (4) Sanitization: There is no validation or sanitization of content before it is processed or displayed.
- Data Exposure & Exfiltration (MEDIUM): By allowing data to be sent to external platforms, the skill facilitates potential data exfiltration. The 'Linear' bypass specifically increases this risk by removing the human-in-the-loop confirmation for any operation the agent classifies as internal.
Recommendations
- AI detected serious security threats
Audit Metadata