web-research
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill demonstrates a vulnerability surface for indirect prompt injection due to its multi-step research architecture.
- Ingestion points: Data enters the agent's context through the
web_searchtool used by subagents, which is then saved into local markdown files (e.g.,research_[topic_name]/findings_[subtopic].md) usingwrite_file. - Boundary markers: The instructions lack any requirement for boundary markers (like XML tags or delimiters) or 'ignore embedded instructions' warnings when the main agent processes these findings.
- Capability inventory: The skill utilizes
task(spawning subagents),write_file(writing local data),read_file(reading local data), andfetch_url(outbound network access). - Sanitization: There is no evidence of content sanitization or validation before the fetched data is synthesized into the final response.
- Data Exposure & Exfiltration (LOW): While the skill primarily handles research data, the combination of
read_file(local file access) andfetch_url(outbound networking) creates a potential path for data movement. However, no malicious patterns or sensitive file path accesses were detected.
Audit Metadata