web-research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest untrusted content from the web, which creates a significant attack surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context through the
fetch_urltool and theweb_searchtool (used by subagents). - Boundary markers: Absent. There are no instructions to use delimiters (like XML tags or triple quotes) or 'ignore embedded instructions' warnings when processing web content or writing findings to
findings_[subtopic].md. - Capability inventory: The skill possesses
write_file(filesystem modification),task(process/subagent spawning), andread_file(data ingestion) capabilities. - Sanitization: Absent. The skill instructions do not mandate any validation or filtering of external content before it is integrated into the research plan or final report.
- [Command Execution] (MEDIUM): The skill instructions involve creating directories (
mkdir) and files based on a user-provided[topic_name]. If the underlying agent does not properly sanitize these inputs, it could lead to directory traversal or the creation of malicious files outside the intended research directory. - [Dynamic Instruction Generation] (MEDIUM): The skill generates instructions for subagents using the
tasktool based on external research topics. An attacker could provide a topic name designed to hijack the subagent's logic (e.g., 'topic; [malicious instructions]').
Recommendations
- AI detected serious security threats
Audit Metadata