content-creation-system
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill possesses a substantial attack surface for Indirect Prompt Injection. The research-factcheck and trend-intelligence agents ingest data from external sources (e.g., PubMed, arXiv, EnsembleData API) and interpolate it into the agent's context without sanitization or boundary markers. This could allow an attacker to override system instructions via poisoned web content or research metadata.
- COMMAND_EXECUTION (HIGH): The skill is architected to run local Python scripts (e.g., sub-agents/setup-wizard/interview.py) and maintains write access to its own config/ and memory/ directories. In the event of an injection attack, these capabilities could be exploited to perform unauthorized operations or achieve persistence within the environment.
- EXTERNAL_DOWNLOADS (MEDIUM): The system makes network requests to non-whitelisted external domains for trend analysis and citation fetching. These interactions lack integrity verification and rely on unverified third-party APIs.
- DATA_EXFILTRATION (MEDIUM): The inclusion of a shared api_helpers.py utility with POST capabilities, combined with the agent's access to local config files (which may contain API keys via environment variable references), provides a potential path for sensitive data exfiltration if the agent is misled by malicious input.
Recommendations
- AI detected serious security threats
Audit Metadata