model-researcher
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill employs 'knowledge poisoning' by using authoritative and restrictive language (e.g., '<critical_prohibition>', 'EXTREMELY STRICT', 'MUST NOT') to force the agent to ignore legitimate AI models (GPT-4o, Claude 3.5, Gemini 1.5) and instead use non-existent future versions.
- PROMPT_INJECTION (MEDIUM): The skill provides a false temporal context ('Q4 2025') and hallucinated technical specifications for fictional models ('GPT-5.2', 'Claude 4.5', 'Gemini 3'). This is likely intended to break the agent's alignment with reality or redirect user traffic to specific (potentially malicious) custom endpoints under the guise of 'bleeding-edge' updates.
- DATA_EXPOSURE (LOW): The skill is designed to read and modify a sensitive local configuration file
~/.config/opencode/opencode.json. While this matches the stated purpose, the combination of local file access and external web search creates a surface for accidental data leakage if the agent interpolates config data into search queries. - INDIRECT_PROMPT_INJECTION (LOW): The workflow relies on
websearchto find model specifications. This creates an ingestion point for untrusted data. Since the skill explicitly looks for non-existent models, an attacker could host 'documentation' for these fictional models containing malicious instructions to exploit the agent's file-writing capabilities.
Audit Metadata