lead-research-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from the public internet (job postings, company sites, and news) and process it while the agent has active access to the user's local filesystem.
- Ingestion points: Web search results, company websites, job postings, and news articles (SKILL.md, "Research and Identify Leads" section).
- Boundary markers: Absent. There are no instructions for the agent to treat external content as data rather than instructions.
- Capability inventory: File system access (the agent is explicitly told to "analyze the codebase" in step 1 of the instructions) and Network access (for lead research).
- Sanitization: Absent. The skill does not provide methods to escape or validate the content retrieved from the web.
- [Data Exposure] (MEDIUM): The instruction to "analyze the codebase" is overly broad and lacks specific file exclusions. An agent attempting to understand a product's features may inadvertently read sensitive files in the directory, such as
.envfiles,.git/config, or SSH keys, which could then be summarized or included in the "Lead Research Results" output.
Recommendations
- AI detected serious security threats
Audit Metadata