propose-hypotheses
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because user-provided content is passed directly to internal sub-agents.
- Ingestion points: User input enters the agent context through the
$ARGUMENTSvariable inSKILL.mdand via interactive user responses in Step 4. - Boundary markers: Absent. The skill does not use delimiters (such as XML tags) or instructions to ignore embedded commands when interpolating user data into prompts in
SKILL.md. - Capability inventory: The skill and its sub-agents have access to
Bash,Read, andWritetools, which could be abused if an injection successfully overrides the agent's logic. - Sanitization: Absent. No escaping or validation is performed on external content before it is processed by sub-agents.
Audit Metadata