skill-lifecycle
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill defines a workflow that generates and updates agent instructions (SKILL.md) based on untrusted external inputs.
- Ingestion points: Untrusted data enters the agent context via workspace/goal.md (user-provided goals) and workspace/research.md (data from research tools).
- Boundary markers: Absent. The workflow does not specify delimiters or instructions to ignore embedded commands in the input data.
- Capability inventory: The skill has file-system write access across the .sop-engine/skills/ directory, including the ability to overwrite the primary SKILL.md and maintain historical versions.
- Sanitization: Absent. There is no evidence of escaping or validation of external content before it is interpolated into new skill instructions.
- [Dynamic Behavior] (MEDIUM): The skill implements a self-modifying loop where instructions are generated and executed. This recursive loop could be exploited to gradually poison the skill logic or introduce malicious behaviors over multiple iterations.
Recommendations
- AI detected serious security threats
Audit Metadata