enrich
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The enrichment protocol (Step 4b) instructs the agent to send existing internal knowledge as context to external web research services (such as Perplexity, Brave, or Exa) to determine what new information is available. This practice transmits locally stored dossier content to third-party providers.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests data from untrusted external sources—including social media, web search results, and third-party APIs—and uses that content to create or update internal records. Maliciously crafted instructions within those external sources could potentially influence the agent's actions during the enrichment process.
- Ingestion points: External lookups defined in SKILL.md (Step 4) including web research, social media posts, and people/company enrichment APIs.
- Boundary markers: None identified. The instructions do not specify the use of delimiters or warnings to ignore instructions embedded in the external data.
- Capability inventory: The skill has the capability to write and modify files in the
people/andcompanies/directories using theput_pagetool. - Sanitization: While the skill includes validation rules for data quality (e.g., name matching, connection counts), it lacks mechanisms to sanitize or filter potential instructions embedded in the retrieved text.
Audit Metadata