tool-selector
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The protocol explicitly facilitates and structures the use of high-impact capabilities including code execution, persistent file writing, and database queries within its 'Tool Catalog'.
- [PROMPT_INJECTION]: The skill serves as an orchestrator for multi-step tool chains, creating a vulnerability surface for indirect prompt injection where malicious content ingested from an external source could influence subsequent tool actions.
- Ingestion points: The 'Tool Combination Guide' describes workflows that ingest data from untrusted sources like 'Web search' and 'File read' (e.g., Research & Report or Data Processing chains).
- Boundary markers: The protocol lacks instructions for using delimiters or boundary markers to separate tool-generated data from agent instructions.
- Capability inventory: The skill manages access to powerful tools including subprocess code execution, file system modifications, and database write operations.
- Sanitization: No logic is provided for sanitizing, escaping, or validating the output of 'read' tools before that content is passed to 'execution' or 'write' tools in the sequence.
Audit Metadata