judge
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill extracts untrusted content from conversation history and passes it to a sub-agent for evaluation, which can be exploited if the content contains adversarial instructions.
- Ingestion points: Phase 1 context extraction from 'completed work' in conversation history.
- Boundary markers: Uses markdown tags like [WORK OUTPUT] to delimit data, but lacks explicit instructions to the sub-agent to ignore instructions contained within those blocks.
- Capability inventory: Spawns a sub-agent via the Task tool and reads a local judge.md template.
- Sanitization: No sanitization or escaping of the extracted conversation context is performed before interpolation into the judge prompt.
Audit Metadata