Skills
skills/lebsral/dspy-programming-not-prompting-lms-skills/ai-building-chatbots/Gen Agent Trust Hub

ai-building-chatbots

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection due to the way it handles untrusted data.
  • Ingestion points: Untrusted data enters the agent via user_message in the handle_message function (examples.md) and through the docs retrieved by the retriever in SupportBot.forward and FAQBot.forward.
  • Boundary markers: There are no delimiters or boundary markers (e.g., XML tags, triple backticks) used in the dspy.Signature definitions to isolate user-provided text from instructions.
  • Capability inventory: The skill uses dspy.Predict and dspy.ChainOfThought to classify intent and generate responses. While no direct file-system or network-write capabilities are shown, the intent classification directly controls the logic flow (e.g., triggering escalate_node).
  • Sanitization: No input validation or sanitization is performed on user_message or docs before they are interpolated into the prompt signatures.
  • Risk: An attacker could provide a user_message or poison the retrieved docs to override the ClassifyIntent signature, forcing an unearned escalation or manipulating the SupportResponse to leak previous conversation_history or internal retrieval logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:26 AM