review-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and analyze external code and instructions from other skills, creating a major vulnerability surface.
- Ingestion points: The skill uses
Read,Glob, andGrepto ingest the contents of external skill directories. - Boundary markers: None. There are no instructions to the agent to isolate or treat content from reviewed skills as data rather than instructions.
- Capability inventory: The skill requests
Bash,Write, andEdittools. A malicious skill being reviewed could include 'jailbreak' instructions that trick the agent into using these tools to attack the host system. - Sanitization: None. The agent is not instructed to sanitize or escape the content it reads from files before processing it.
- Command Execution (MEDIUM): The skill requests broad
Bashtool access but contains no static shell scripts. This gives the agent unconstrained execution authority based on the output of its (potentially poisoned) analysis. - No Code (INFO): The skill consists entirely of markdown instructions and language descriptions. It lacks implementation scripts, relying entirely on the agent's interpretation of the provided workflow.
Recommendations
- AI detected serious security threats
Audit Metadata