brainstorming
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the 'Visual Companion' interaction data.
- Ingestion points: The
visual-companion.mdguide instructs the agent to read interaction data (clicks, selections) from the$SCREEN_DIR/.eventsfile on every turn after the user responds. - Boundary markers: The instructions do not define clear boundary markers or instructions for the agent to treat the content of the
.eventsfile as potentially untrusted input. - Capability inventory: The skill has significant capabilities, including reading project files, writing design specifications to the disk, committing changes to git (
SKILL.md), and invoking downstream implementation skills (writing-plans). - Sanitization: No sanitization or validation logic is prescribed for the agent when processing the browser-generated events, which could allow a malicious actor or site (if the user navigates elsewhere) to inject instructions into the agent's context through the structured interaction log.
Audit Metadata