cold-email-personalization
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a vulnerability to indirect prompt injection by design.
- Ingestion points: In assets/research-playbook.md, the instructions guide the agent to use scraping tools (Claygent, ZenRows) and search APIs (Serper) to fetch content from pricing pages, news articles, and Google reviews.
- Boundary markers: There are no instructions for the agent to use delimiters or ignore embedded instructions within the ingested external data.
- Capability inventory: The skill encourages the use of web-scraping and data extraction capabilities which, when combined with the lack of boundaries, allows for potential instruction override from attacker-controlled web pages.
- Sanitization: The playbook lacks guidance on sanitizing or validating the ingested content before it is used to generate email copy.
Audit Metadata