todo-update
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): Ingests untrusted content from todo files and user input while possessing file-writing capabilities. • Ingestion points: Phase 4 reads existing todo files; Phase 3 accepts user-provided notes and paths. • Boundary markers: None; the agent processes markdown content directly into its context. • Capability inventory: File modification (Phase 4) and central README updates (Phase 6). • Sanitization: None described; the agent parses frontmatter and logs without escaping potential injection strings.
- [Data Exposure & Exfiltration] (MEDIUM): Potential Path Traversal via unvalidated user input. • Evidence: Phase 3 prompts for file paths relative to a knowledge base root. • Impact: Lack of path validation allows referencing files outside intended directories, which could lead to sensitive data exposure in the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata