research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection via its research workflow.
- Ingestion points: The Execution Agent (Phase 2) ingests untrusted data using the WebSearch and WebFetch tools.
- Boundary markers: Absent; there are no delimiters or instructions provided to the subagent to treat web content as untrusted or to ignore embedded instructions.
- Capability inventory: The agent has the capability to write files to the local system (notes, wiki entries, and code examples) and spawn further subagents via the Task tool.
- Sanitization: Absent; the skill does not filter or sanitize the content retrieved from the web before using it to generate files.
- COMMAND_EXECUTION (HIGH): The skill's 'Create Examples' instruction allows the agent to write code files to the local file system. A malicious actor could use Indirect Prompt Injection to force the agent to write harmful scripts or 'backdoor' configuration files into the research directories.
- DATA_EXFILTRATION (MEDIUM): The Planning Agent is explicitly instructed to scan the '99_System/Prompts/' directory. This exposes sensitive internal configuration and system instructions to the subagent's context, which could then be leaked to the user or an external attacker via the research summary if the initial research topic is a prompt injection.
- EXTERNAL_DOWNLOADS (LOW): The skill uses WebFetch to download content from arbitrary URLs. While a standard feature for research, it serves as the primary vector for the high-severity injection risks identified.
Recommendations
- AI detected serious security threats
Audit Metadata