rail
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWSAFE
Full Analysis
- Indirect Prompt Injection (LOW): The skill includes instructions to browse and extract real-time ticket availability and schedule data from external sources.
- Ingestion points: Data is ingested via browser tools from the 12306.cn domain (e.g., kyfw.12306.cn/otn/leftTicket/init).
- Boundary markers: The instructions do not define specific delimiters or instructions to ignore embedded commands within the fetched web content.
- Capability inventory: The agent's capabilities in this context are limited to information retrieval, summarization, and display; it lacks write-access to the file system or arbitrary network exfiltration capabilities.
- Sanitization: There is no mention of sanitizing or filtering the content retrieved from the web before it is processed by the agent.
Audit Metadata