rag-pipeline-builder
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill implements a RAG pipeline that is inherently susceptible to indirect prompt injection from untrusted document content.\n
- Ingestion points: The
scripts/ingest_documents.pyscript (line 218) recursively reads markdown and MDX files from a user-provided directory, which are then stored as vector embeddings.\n - Boundary markers: The prompt template in
templates/fastapi-endpoint-template.py(lines 193-201) uses "---" delimiters and structural labels ("Context:", "Question:", "Answer:") to separate retrieved data from system instructions, which provides a basic but non-exhaustive layer of defense.\n - Capability inventory: The skill is primarily focused on generating text responses based on context; it does not currently possess capabilities to execute code, access the file system, or perform network requests based on the LLM's generated output.\n
- Sanitization: There is no evidence of content sanitization or instruction-filtering on the ingested document text before it is interpolated into the generation prompt.\n- [CREDENTIALS_UNSAFE]: Sensitive API keys are handled via insecure command-line arguments.\n
- Evidence: The ingestion and testing scripts (
scripts/ingest_documents.pyandscripts/test_rag.py) include a--openai-keyparameter. Passing secrets as command-line arguments can result in them being exposed in process listings (e.g.,ps aux) and shell history files (e.g.,~/.bash_history).
Audit Metadata