em-kb-article
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exhibits a significant attack surface by ingesting untrusted data and having write capabilities.
- Ingestion points: The skill reads source code from the 'project_path', navigates external websites using Chrome, and fetches existing articles from Zendesk.
- Boundary markers: None found. There are no delimiters or instructions provided to the agent to ignore or sanitize embedded instructions within the code or web content it analyzes.
- Capability inventory: The skill can perform network POST/PUT requests to the Zendesk API (creating/updating articles) and has read access to the local file system.
- Sanitization: No sanitization or validation of the ingested external content is performed before it influences the agent's output or actions.
- Credentials Handling (MEDIUM): The skill explicitly reads sensitive information including 'ZENDESK_API_TOKEN' and 'EASYMAILING_TEST_PASSWORD' from '.env' and '.kb-config.json'. While necessary for its function, this creates a target for exfiltration if the agent is compromised via prompt injection.
- Command Execution (LOW): The script 'scripts/zendesk.ts' uses a shebang involving 'npx -y bun', which triggers an external download and execution of the Bun runtime environment.
Recommendations
- AI detected serious security threats
Audit Metadata