rust-learner
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it aggregates content from various untrusted external sources and uses it to drive agent behavior.
- Ingestion points: Data is fetched from
crates.io,lib.rs,Reddit,TWIR, and various third-party blogs. These sources allow users or attackers to publish arbitrary text (e.g., crate descriptions, comments). - Boundary markers: The skill provides no instructions to use delimiters or ignore instructions embedded within the fetched content.
- Capability inventory: The skill leverages the
agent-browserCLI for web automation and theTasksub-agent tool, providing an execution path for injected instructions. - Sanitization: No sanitization or validation of the ingested external content is mentioned.
- [Dynamic Execution] (MEDIUM): The skill instructs the agent to load instructions from variable file paths:
../../agents/<agent-name>.md. This pattern of dynamic prompt loading based on the query type is susceptible to path manipulation if the routing logic is compromised by an injection attack. - [Command Execution] (MEDIUM): The skill explicitly mandates the use of the
agent-browserCLI tool for primary execution. While necessary for the skill's function, this tool grants the agent direct interaction capabilities with the local system's networking and shell environment, which escalates the impact of any successful prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata