skill-composer-studio
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to chain outputs from one tool as inputs to another, creating a vulnerability where data from an untrusted source (like a web scraper or file reader) could contain instructions that hijack the logic of subsequent steps.
- Ingestion points: Processes user-provided requests and the resulting data from 'all 81 skills in the catalog' during automatic handoffs.
- Boundary markers: The instructions do not define delimiters (e.g., XML tags or triple quotes) or provide 'ignore embedded instructions' warnings for the data being passed between workflow steps.
- Capability inventory: The orchestrator has the capability to execute any of the 81 skills in the catalog, which may include high-privilege tools such as shell executors, file writers, or network clients.
- Sanitization: There is no evidence of logic to escape, validate, or filter content passed during data transformations or handoff points.
Audit Metadata