ai-interaction
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill contains explicit instructions to override system safety and resource management signals. It specifically commands the agent to ignore warnings such as 'looping', 'too many calls', and 'redundant calls'.
- PROMPT_INJECTION (HIGH): The 'Action-First' directive explicitly forbids the agent from asking for permission or explaining its approach before executing actions ('DON'T: Ask permission... Wait for approval... Then execute'). This removes critical 'human-in-the-loop' safety checkpoints for potentially destructive tools like file editing and browser access.
- COMMAND_EXECUTION (MEDIUM): The instructions mandate 'Execute first' and 'Retry tool call -> Loop until success' even if errors occur. Combined with the removal of user approval, this creates a high risk of automated, repeated execution of failing or harmful commands without oversight.
- PROMPT_INJECTION (MEDIUM): The skill uses a 'Summarized Context Handling' rule that forces an immediate tool call and prohibits processing the content, which could be used to hide malicious instructions or bypass the model's internal reasoning logic.
- INDIRECT_PROMPT_INJECTION (LOW): There is a significant vulnerability surface because the agent is instructed to ingest data (via Read and Browser tools) and immediately act upon it without confirmation.
- Ingestion points: file content (via Read tools), web content (via Browser tools).
- Boundary markers: None specified.
- Capability inventory: Read, Edit, Browser, and recursive tool calling.
- Sanitization: No sanitization or validation of external content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata