fan-out
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it processes external data and has the capability to trigger further agent actions. * Ingestion points: Untrusted data enters the agent context via the 'Original task' description in Step 2 and through file contents read using the 'file: read' and 'bash: cat' tools as shown in Step 6 and Example 1. * Boundary markers: Absent. The skill instructions do not specify any delimiters (e.g., XML tags or triple quotes) or 'ignore' instructions to isolate processed data from the agent's logic. * Capability inventory: The skill allows execution of 'bash' commands (ls, cat, grep) and spawning of new agent instances via 'mcp: task' (Step 3). * Sanitization: Absent. No filtering or validation logic is prescribed for data before it is interpolated into sub-agent prompts.
- Dynamic Execution (MEDIUM): The skill dynamically constructs prompts for sub-agents in Step 3 by taking untrusted descriptions from Step 2. This facilitates the propagation of injected instructions to downstream agents.
- Command Execution (LOW): The use of bash tools like 'ls', 'cat', and 'grep' is constrained but provides the necessary primitive for reading the malicious payloads that enable the higher-severity prompt injection attacks.
Recommendations
- AI detected serious security threats
Audit Metadata