cold-email-personalization
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection due to its reliance on external data ingestion combined with content generation capabilities.
- Ingestion points: According to assets/research-playbook.md, the agent is instructed to scrape external pricing pages, Google reviews, and LinkedIn content.
- Boundary markers: There are no instructions to use delimiters or protective tags around the ingested content defined in assets/variable-schema.md.
- Capability inventory: The skill enables the agent to draft and sequence emails (SKILL.md, assets/campaign-types.md), which serves as an external output channel for potentially injected instructions.
- Sanitization: No sanitization or validation of the scraped data is mentioned or required by the instructions.
Recommendations
- AI detected serious security threats
Audit Metadata