research-and-synthesis
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it is designed to ingest and process untrusted data from the web.
- Ingestion points: The skill uses
mcp_web-search-prime_search,mcp_web-reader_read, andmcp_zread_readto fetch external content from the internet (as documented inSKILL.md). - Boundary markers: There are no instructions to use delimiters or 'ignore embedded instructions' warnings when processing fetched content.
- Capability inventory: The skill has access to powerful tools including
Bash,mcp_gemini-bridge, andmcp_codex-bridge. - Sanitization: No evidence of sanitization or validation of the fetched content before it is processed.
- [COMMAND_EXECUTION]: The skill's metadata includes
Bashin theallowed-toolslist. While the provided instructions do not demonstrate the use of this tool, granting access to a shell environment for a research task provides a broad capability that could be exploited. - [EXTERNAL_DOWNLOADS]: The skill utilizes several tools (
WebFetch,mcp_web-reader,mcp_zread) to download and read content from external, untrusted websites as part of its core research function. While functional, this represents the primary entry point for untrusted data.
Audit Metadata