people-research
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill's primary purpose is to ingest and summarize data from external, untrusted sources (public web pages, LinkedIn profiles, personal blogs).
- Ingestion points: Data enters the agent via the
web_search_advanced_exatool. - Boundary markers: The skill does not explicitly define delimiters for the external content within the task agent context, though it recommends isolation.
- Capability inventory: The skill processes this data using Task agents to produce distilled JSON or Markdown outputs.
- Sanitization: No explicit sanitization or filtering of the retrieved web content is mentioned beyond 'distillation' by an LLM.
- Analysis: A malicious website or profile could contain instructions designed to influence the agent's summary or the behavior of the Task agent. However, the skill's 'Token Isolation' rule (spawning Task agents to keep the main context clean) is a significant architectural mitigation that prevents such injections from persisting into the main agent session.
- [Metadata Poisoning] (LOW): The skill instructions include a 'Critical' directive to use specific tools and isolation patterns. While instructional, these are self-referential safety claims that must be verified by the system rather than taken as a guarantee of security.
Audit Metadata