hr-network-analyst
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses an attack surface for indirect prompt injection as it is designed to ingest and process data from external, untrusted web sources.
- Ingestion points: Data enters the agent context through
WebSearch,WebFetch,mcp__firecrawl__firecrawl_scrape, andmcp__brave-search__brave_web_searchwhen mapping professional networks from LinkedIn, Twitter, and GitHub. - Boundary markers: Absent. There are no instructions to use delimiters or ignore embedded instructions within the scraped professional bios or publication metadata.
- Capability inventory: The skill allows
WriteandEdit(file system access) and furtherWebSearchcapabilities, which could be used to exfiltrate data if a malicious instruction is encountered during scraping. - Sanitization: Absent. No sanitization or validation of the ingested strings is performed before they are processed by the LLM.
- [Data Exposure] (LOW): The skill documentation mentions using 'Slack metadata' and 'surveys' for Organizational Network Analysis (ONA). While legitimate in a corporate context, handling internal communication metadata requires high privacy standards to prevent accidental exposure of PII or sensitive corporate relationships.
- [External Downloads] (SAFE): The skill identifies external data sources (LinkedIn, Google Scholar, GitHub) but uses standard search and fetch tools. No unauthorized or risky third-party downloads are initiated.
- [Command Execution] (SAFE): Python code snippets provided in the reference files use standard libraries like
networkxandpandasfor data analysis and do not contain malicious system calls or obfuscated commands.
Audit Metadata