security-alert-triage
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from security alerts (e.g., alert reasons, log messages) retrieved via
fetch-next-alert.jsandrun-query.js. This creates an attack surface for indirect prompt injection where malicious instructions embedded in logs could influence the agent's behavior. - Ingestion points: Data enters the agent's context through Elasticsearch search results in
fetch-next-alert.jsandrun-query.js. - Boundary markers: No explicit boundary markers or "ignore embedded instructions" warnings are used when presenting alert fields to the agent.
- Capability inventory: The agent can execute shell scripts, write files (e.g.,
echo "..." > query.esql), and perform network operations via the Elastic and Kibana APIs (acknowledging alerts, creating cases). - Sanitization: No evidence of sanitization or escaping of external alert fields is present before the data is interpolated into the agent's context.
- [COMMAND_EXECUTION]: The skill's operational workflow depends on the execution of local Node.js scripts via the shell. It specifically instructs the agent to dynamically generate ES|QL queries and write them to temporary files on disk (
query.esql) before execution, which is a standard but sensitive operation.
Audit Metadata