kibana-connectors
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified in the Kibana Workflows documentation.
- Ingestion points: Untrusted alert data (e.g., event.alerts[0].kibana.alert.reason) is ingested from the Elastic event stream into the workflow context (references/workflows.md).
- Boundary markers: The example prompt template in the 'enrich' step lacks delimiters or explicit instructions to ignore embedded commands within the interpolated alert data (references/workflows.md).
- Capability inventory: The workflow includes steps to create cases (kibana.createCaseDefaultSpace) and execute arbitrary Kibana API requests (kibana.request), providing a path for injected instructions to perform unauthorized actions (references/workflows.md).
- Sanitization: There is no evidence of escaping, validation, or filtering of the external alert content before it is interpolated into the prompt.
Audit Metadata