research
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is vulnerable to Indirect Prompt Injection as it ingests data from external, untrusted sources (web search results). Ingestion points: Web content retrieved via MCP servers (Tavily, Exa) or built-in search tools as specified in SKILL.md. Boundary markers: Absent. There are no instructions to delimit search content or explicitly ignore instructions embedded within the retrieved data. Capability inventory: The skill directs the agent to write research findings to the local filesystem (
research/[topic].md) and generate implementation code for high-stakes tasks like authentication and payments. Sanitization: Absent. No validation or sanitization is performed on the search results before they influence file writing or code generation. - Command Execution (MEDIUM): The directive to save research findings in
research/[topic].mdintroduces a path traversal risk. An attacker could use malicious search results to influence thetopicvariable, potentially causing the agent to write files to unauthorized locations outside theresearch/directory.
Recommendations
- AI detected serious security threats
Audit Metadata