agent-inbox
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines a protocol where agents read and act upon data from external files, creating an indirect prompt injection surface.
- Ingestion points: Message content and metadata, such as the reply_to path, are read from files located in the .agents/inbox/ directory structure.
- Boundary markers: No delimiters or safety instructions are provided to distinguish between protocol metadata and potentially malicious instructions in the message body.
- Capability inventory: The skill instructs agents to use the reply_to field from messages as a target for file writes (mkdir, cat, mv). This creates a path traversal risk if the field contains malicious relative paths designed to target sensitive files outside the inbox structure.
- Sanitization: The skill does not include any validation, sanitization, or path-normalization logic for the reply_to field or the message body content.
Audit Metadata