prompt-lab
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection through its experiment runner.
- Ingestion points: User-provided 'instruction' and 'task' strings are interpolated into sub-agent prompts in
SKILL.mdandreference/experiment-types.md(e.g., 'You have this instruction: [YOUR INSTRUCTION]'). - Boundary markers: The templates lack delimitation (such as XML tags or unique markers) to prevent the agent from mistaking user data for system-level instructions.
- Capability inventory: The skill utilizes a 'Task' tool to spawn sub-agents with the generated prompts, representing its primary execution capability.
- Sanitization: No validation or escaping is applied to the instructions or tasks being tested.
- [PROMPT_INJECTION]: The documentation in
reference/experiment-types.mdandreference/case-studies.mdexplicitly lists and encourages the use of known injection patterns for testing, including 'Ignore previous instructions', 'Disregard all prior rules', and 'Authority appeal' techniques. - [DATA_EXPOSURE]: The skill's 'Adversarial Test' category specifically targets the extraction of sensitive internal information, such as system tool names, system prompts, and internal implementation details (e.g., Case Study 3 in
reference/case-studies.md). - [DYNAMIC_EXECUTION]: The skill dynamically generates sub-agent tasks by assembling instructional strings and task descriptions at runtime, which are then processed by the 'Task' tool.
Audit Metadata