internal-comms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest vast amounts of untrusted data from Slack, Email, and Google Drive and use it to generate company-wide communications.
- Ingestion points: Identified in
examples/3p-updates.md,examples/company-newsletter.md, andexamples/faq-answers.md(Slack messages, Email threads, Google Drive docs, Calendar events). - Boundary markers: Entirely absent. There are no instructions to the agent to distinguish between its operational instructions and the content within the documents/messages it reads.
- Capability inventory: The skill generates outputs for high-stakes audiences (executives, company-wide newsletters, leadership updates). A malicious actor could embed instructions in a Slack post or email to influence the content of the official newsletter or FAQ.
- Sanitization: No validation or sanitization of ingested content is mentioned.
- Data Exposure (HIGH): The skill explicitly instructs the agent to seek out sensitive internal data points.
- Evidence: Instructions in
examples/company-newsletter.mdandexamples/3p-updates.mdspecifically direct the agent to find "docs written from critical team members," "emails from executives," "company-wide vision docs," and "product reviews." - Risk: While the intended use is summarization, this creates a pattern where the agent is trained to aggregate high-value internal secrets and private communications, which could be exploited or accidentally leaked if the agent is also tasked with external-facing roles.
Recommendations
- AI detected serious security threats
Audit Metadata