intent-signal-aggregator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8). It instructs the agent to process data from attacker-controllable sources.
- Ingestion points: The instructions in
SKILL.mddirect the agent to monitor external web content including job postings (LinkedIn Jobs), funding news (TechCrunch), and company websites. - Boundary markers: Absent. There are no instructions or delimiters provided to prevent the agent from obeying malicious commands hidden within the job descriptions or news articles it reads.
- Capability inventory: The skill involves the agent making decisions ("Intent Score", "Recommended Action") and drafting communication ("Talking Point"). If the agent has tools for CRM updates or email, an attacker could trigger unauthorized actions via a job posting.
- Sanitization: Absent. There is no requirement for the agent to validate or sanitize external content before using it to generate reports or recommendations.
- NO_CODE (LOW): This skill consists entirely of natural language instructions and markdown templates with no executable scripts or dependency files, which limits the risk to prompt-based attacks rather than system-level compromise.
Recommendations
- AI detected serious security threats
Audit Metadata