internal-comms
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill encourages the agent to retrieve data from external, untrusted communication channels which creates a surface for indirect prompt injection attacks.
- Ingestion points: As specified in
examples/3p-updates.md,examples/company-newsletter.md, andexamples/faq-answers.md, the agent is instructed to read content from Slack channels, Google Drive documents, Emails, and Calendar events. - Boundary markers: Absent. There are no instructions to the agent to treat retrieved content as data rather than instructions, nor are there any delimiters (e.g., XML tags or triple quotes) suggested for the fetched content.
- Capability inventory: The prompts assume the agent has active tools to read private and public workspace data (Slack, GDrive, Email, Calendar).
- Sanitization: Absent. The skill lacks instructions to filter, escape, or validate the content gathered from these external sources before including it in the generated communications.
- [No Code] (SAFE): All five files are Markdown files containing natural language instructions and templates. No Python scripts, Node.js packages, or shell commands are included in the skill, which significantly reduces the risk of direct system exploitation or remote code execution.
Audit Metadata