creative-writing
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core functionality involves reading and processing untrusted, user-provided text files (manuscripts and research articles). These files are interpolated into agent prompt templates using placeholders like '{{MANUSCRIPT_PATH}}' (found in references/manuscript-audit/audit-prose-quality.md and others) without the use of strict boundary markers (such as XML tags or unique delimiters) or instructions for the agent to ignore directives within the processed text. This could allow a malicious manuscript to hijack the sub-agent's behavior.
- Ingestion points: Manuscript files and project configuration files (e.g., manuscript-audit-config.md).
- Boundary markers: None present in the agent prompt templates.
- Capability inventory: The skill utilizes high-capability tools including MultiEdit, Write, WebSearch, and WebFetch.
- Sanitization: No sanitization or validation of the processed data is implemented before interpolation into prompts.
- [COMMAND_EXECUTION]: The skill introduces high-autonomy workflows triggered by slash-command style patterns (e.g., /prose-revision, /writing-team). While these are internal agent commands rather than shell commands, they orchestrate complex automated tasks across multiple files and include network operations. This high degree of autonomy increases the potential impact of a successful prompt injection by allowing an attacker to trigger complex file-system and network operations silently.
Audit Metadata