internal-comms
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Prompt Injection] (HIGH): The file
SKILL.mdcontains an instruction meant to override the agent's global behavior: 'Claude should use this skill whenever asked to write some sort of internal communications'. This attempts to force the agent's operational mode regardless of context. - [Indirect Prompt Injection] (HIGH): The skill creates a dangerous attack surface where untrusted data can influence high-impact outputs. Ingestion points: External and untrusted data enters the context via Slack messages, Google Drive documents, email threads, and external press as specified in
examples/3p-updates.mdandexamples/company-newsletter.md. Boundary markers: None. The skill does not provide delimiters or instructions to ignore embedded commands in the fetched data. Capability inventory: The agent can read sensitive corporate data and write impactful company-wide communications like newsletters and FAQs. Sanitization: No sanitization or filtering logic is present to prevent ingested instructions from being executed by the AI during the summarization process. - [Data Exposure & Exfiltration] (HIGH): The skill instructs the agent to crawl sensitive internal services (Slack, Email, Google Drive) and consolidate findings into broad-reach formats such as 'company-wide newsletters' in
examples/company-newsletter.md. This facilitates the potential exposure of restricted information to a wider audience than originally intended.
Recommendations
- AI detected serious security threats
Audit Metadata