narrative-validator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): Indirect Prompt Injection via untrusted data processing.
- Ingestion points: The skill ingests a full 'episode' as untrusted input, specifically the
referencessection containing external URLs. - Boundary markers: Absent. The instructions do not define clear delimiters (e.g., XML tags or random nonces) to encapsulate the untrusted episode content, making it easier for embedded instructions in the episode to hijack the agent's logic.
- Capability inventory: The skill is explicitly granted access to the
Browsertool to perform network read operations. - Sanitization: None. The skill instructs the agent to 'verify every URL' without any pre-validation or blocklisting of sensitive internal ranges (SSRF protection).
- [DATA_EXFILTRATION] (LOW): Risk of Server-Side Request Forgery (SSRF) and metadata leakage.
- Evidence: The mandatory requirement to use the
Browsertool on user-supplied links allows an attacker to probe internal network services or leak the agent's IP/environment metadata to an external server. While the primary goal is narrative validation, the mechanism allows for outbound network requests to attacker-controlled domains.
Audit Metadata