adr-management
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). * Ingestion Points: The skill reads existing ADR files from '/architecture/adr/' via 'Read' and 'Grep' and processes external search results from 'mcp__perplexity__search' and 'mcp__context7__query-docs'. * Boundary Markers: None provided. There are no instructions to use delimiters or ignore embedded instructions within the processed data. * Capability Inventory: The skill possesses 'Write' capabilities (allowing file modification) and the 'Skill' tool (allowing it to invoke other agents such as 'visualization:diagram-generator'). * Sanitization: None provided. The skill does not validate or filter content before using it in decision-making or file creation.
- DATA_EXFILTRATION (MEDIUM): The workflow encourages using external MCP search tools to research best practices. If the agent includes sensitive internal context or design details in the search queries to these third-party providers, it constitutes unintended data exposure.
- METADATA_POISONING (LOW): The skill uses authoritative language ('This is the CANONICAL ADR skill') in the description to influence agent selection, though no malicious instructions were found in the metadata itself.
Recommendations
- AI detected serious security threats
Audit Metadata