agents-md-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill has a significant attack surface due to processing untrusted instruction files and possessing file-writing capabilities. Ingestion points: Step 1 in
SKILL.mdingests content from external AGENTS.md files via file path or user paste. Boundary markers: Absent; the instructions do not use delimiters or ignore-directives to isolate untrusted data. Capability inventory: Step 5 grants the agent authority to create and modify multiple files and directories. Sanitization: Absent; there is no validation or filtering of the processed content before it is used to generate or modify system files. - [Command Execution] (MEDIUM): The skill's workflow (Step 0 and Step 5) involves applying file changes to the local filesystem, which could be exploited to overwrite sensitive files if the agent's reasoning is compromised by malicious instructions found within the input files.
Recommendations
- AI detected serious security threats
Audit Metadata