internal-comms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core functionality relies on ingesting untrusted data from multiple external sources to generate high-visibility internal communications.
- Ingestion points: Slack channels, Google Drive documents, Email threads, and Calendar event descriptions (identified in
examples/3p-updates.md,examples/company-newsletter.md, andexamples/faq-answers.md). - Boundary markers: None. The instructions do not provide delimiters or warnings to ignore instructions embedded within the ingested data.
- Capability inventory: The skill is designed to produce content for company-wide distribution ("1000+ people") via Slack and email. This high-impact output acts as a side effect that can spread malicious content if the agent is compromised.
- Sanitization: Absent. There is no requirement for the agent to filter or validate the content retrieved from external tools before summarizing it.
- [Data Exposure] (MEDIUM): The skill encourages the agent to search for "docs written from critical team members with lots of views" and "emails with lots of responses." This behavior may lead to the inadvertent exposure of private or sensitive information if the agent summarizes restricted content for a broader company-wide audience without verifying access permissions.
Recommendations
- AI detected serious security threats
Audit Metadata