skill-lookup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a direct ingestion surface for instructions from files that may be attacker-controlled or malicious.
- Ingestion points: Reading
SKILL.mdfiles from the.agent/skillsdirectory. - Boundary markers: Absent. The skill instructions do not specify any delimiters or safety prompts when the agent 'loads' and 'learns' instructions from these files.
- Capability inventory: The skill specifically allows the agent to 'learn' and adopt instructions from these files, which can override the agent's primary safety protocols.
- Sanitization: Absent. There is no mechanism mentioned to validate or sanitize the content of the retrieved skills before the agent incorporates them into its context.
- Metadata Poisoning (MEDIUM): Malicious skills could use deceptive metadata (names/descriptions) to trick this lookup skill into loading them for unrelated tasks, facilitating the Indirect Prompt Injection.
Recommendations
- AI detected serious security threats
Audit Metadata