prompt-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill facilitates the ingestion of external JSON datasets (test cases) which are then processed using high-privilege tools. Because the agent has Bash access and the skill lacks boundary markers or sanitization, malicious instructions embedded in the 'input' fields of the test data could be executed with the agent's permissions.\n
- Ingestion points: datasets (e.g., 'tests.json') and test case JSON templates defined in SKILL.md and docs/methodology.md.\n
- Boundary markers: Absent; the skill does not define delimiters to separate test data from the agent's internal instructions.\n
- Capability inventory: Read, Write, and Bash tools are explicitly requested in the frontmatter.\n
- Sanitization: Absent; there is no methodology described for validating, escaping, or filtering the content of test cases.\n- Unverifiable Dependencies (MEDIUM): The methodology documentation (docs/methodology.md) references the 'scipy' library for statistical calculations without version pinning or a verification mechanism (e.g., requirements.txt), which violates security best practices for dependency management.\n- Command Execution (INFO): The skill's frontmatter explicitly allows the use of the Bash tool. While used for testing commands in the documentation, this capability significantly escalates the impact of any injection vulnerabilities found in the handled data.
Recommendations
- AI detected serious security threats
Audit Metadata