research-executor
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to retrieve and analyze information from external websites, creating a surface for indirect prompt injection. (1) Ingestion points: WebSearch, WebFetch, and mcp__web_reader__webReader tools are used in Phase 3 and Phase 6 to fetch untrusted content. (2) Boundary markers: The instructions do not specify any delimiters or warnings to separate fetched web content from the agent's internal reasoning or sub-agent instructions. (3) Capability inventory: The skill uses the Task tool to spawn parallel agents and the Read/Write tool to manage files on the local system. (4) Sanitization: There is no logic provided to sanitize or filter external data before it is processed or used in report generation.
- Command Execution (LOW): The skill utilizes the Task tool with run_in_background: true to deploy multiple sub-agents. While this is a standard orchestration pattern for this skill's purpose, the generation of 'detailed prompts' for these agents based on untrusted web data introduces a risk of sub-agent manipulation.
Audit Metadata