research-intake
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill's primary function is to ingest and synthesize data from external, potentially untrusted sources.
- Ingestion points: Workflow Step 2 in
SKILL.mdand the 'Source Material Types' section inreferences/intake-process.mdspecify the recursive reading of all files in a user-provided path, as well as the fetching of content from web URLs. - Boundary markers: There are no instructions to use delimiters or ignore embedded instructions within the source material during the indexing or synthesis process.
- Capability inventory: The skill possesses the capability to read files, perform web searches (
SKILL.mdStep 5), and write new files to the filesystem (references/gap-analysis.mdVault Capture section). - Sanitization: The instructions do not prescribe any sanitization, filtering, or validation of the ingested content before it is processed by the agent.
- [DATA_EXFILTRATION]: Potential for Sensitive Data Exposure. The skill's 'Read everything' directive creates a risk if a user provides a path containing sensitive information.
- Evidence:
references/intake-process.mdexplicitly instructs the agent to 'Read everything. Do not skip files based on filename, folder name, or file size' and to 'Traverse all nested folders to arbitrary depth.' - Context: While the skill requires user confirmation of the vault path, the lack of file-type filtering or sensitivity checks means the agent will attempt to ingest configuration files (e.g.,
.env,credentials), SSH keys, or other sensitive data if they exist within the confirmed directory structure.
Audit Metadata