ai-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill possesses a high surface for Indirect Prompt Injection because it is designed to ingest and process external content while maintaining high-privilege tool access. * Ingestion points: The metadata enables 'WebFetch' and 'Read' tools to ingest untrusted data from URLs and local files. * Boundary markers: There are no defined delimiters or instructions to ignore embedded commands in processed data within the skill definition. * Capability inventory: Across its metadata, the skill permits 'Bash', 'Write', 'Edit', and 'WebFetch' tools. * Sanitization: While the skill's documentation mentions 'guardrails' as a best practice, no actual sanitization or validation logic is implemented in the skill's tool use patterns.
- COMMAND_EXECUTION (LOW): The metadata explicitly allows the 'Bash' tool. While consistent with an 'AI Engineer' persona, this tool provides a powerful mechanism for executing arbitrary commands if the agent is misled by malicious input.
- EXTERNAL_DOWNLOADS (LOW): The 'WebFetch' tool is allowed in the metadata. This facilitates the retrieval of external documentation for RAG systems but also allows the agent to fetch potentially malicious scripts or data from untrusted domains.
Recommendations
- AI detected serious security threats
Audit Metadata