research-compound
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to read
AGENTS.mdfiles from the local environment to extract context and patterns. This creates a surface for indirect prompt injection where an attacker could place malicious instructions inside a repository'sAGENTS.mdfile. - Ingestion points: Reads
AGENTS.mdfiles during the 'Pre-Research' phase using theReadtool. - Boundary markers: None. The instructions do not specify any delimiters or warnings to ignore instructions found within the files being read.
- Capability inventory: Uses
EditandGlobtools to modify or create files (AGENTS.md) and search the directory structure. - Sanitization: None. Extracted content is processed and potentially appended to other files without validation or escaping.
- Command Execution (LOW): The skill documentation includes bash examples for finding files (e.g.,
find . -name "AGENTS.md"). While these are provided as examples for the agent's logic, they indicate an expectation of shell access to perform file operations.
Audit Metadata