research-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High susceptibility to Indirect Prompt Injection (Category 8). \n
- Ingestion points: The skill actively fetches external, untrusted content from the web and GitHub via WebSearch, WebFetch, and repository exploration tools (referenced in SKILL.md). \n
- Boundary markers: Absent. The workflow lacks markers or instructions to isolate external data from the agent's command processing logic. \n
- Capability inventory: The skill is permitted to use Bash, Write, Edit, and Read tools, allowing for file modification and system-level commands. \n
- Sanitization: There is no evidence of sanitization or validation of the fetched content before it is processed by the agent. \n- [COMMAND_EXECUTION] (MEDIUM): The workflow utilizes general-purpose command execution tools in a high-risk context. \n
- Evidence: Bash is explicitly listed in the allowed-tools metadata in SKILL.md. \n
- Risk: The use of Bash to process outputs derived from untrusted internet content increases the likelihood of an attacker-controlled string being executed on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata