ln-511-test-researcher
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection as it processes content from external, attacker-controllable sources.
- Ingestion points: Untrusted data enters via Linear story descriptions (Phase 2) and Web Search results from forums like Reddit and StackOverflow (Phases 3, 4, and 5).
- Boundary markers: Absent. The instructions do not specify any delimiters or safety guardrails to prevent the agent from following instructions embedded in the researched content.
- Capability inventory: The agent can read local files (
docs/tasks/kanban_board.md), perform network searches, and write comments to the Linear API. - Sanitization: Absent. There is no mention of filtering or escaping external content before it is compiled into findings.
- [DATA_EXFILTRATION] (MEDIUM): The skill reads sensitive local project metadata (
docs/tasks/kanban_board.md) to discover a Team ID. In an adversarial scenario triggered by indirect injection, this local data or the contents of Linear stories could be exfiltrated through search queries or by being leaked into the Linear comments posted in Phase 6.
Recommendations
- AI detected serious security threats
Audit Metadata