alert-triage
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is authored by Elastic and integrates seamlessly with official security platform tools including triage-alerts, manage-cases, and threat-hunt.
- [SAFE]: Instructions correctly establish a persona of a senior SOC analyst and provide a comprehensive classification guide in a separate reference file to ensure consistent and evidence-based analysis.
- [SAFE]: The skill implements a structured workflow for incident response, including documentation through cases and targeted threat hunting, with no evidence of data exfiltration or unauthorized system access.
- [PROMPT_INJECTION]: The skill processes security alert data which constitutes a surface for indirect prompt injection. This is a known characteristic of security analysis tools where the data being triaged may contain attacker-controlled strings.
- Ingestion points: Alert metadata (process names, rule names, hostnames) enters the context via the triage-alerts tool output.
- Boundary markers: None identified; alert data is processed directly by the agent for classification.
- Capability inventory: The agent can perform further investigative queries via threat-hunt and modify incident documentation via manage-cases.
- Sanitization: The skill relies on the platform's native handling of alert data; no additional input sanitization is performed within the instructions.
Audit Metadata