sop-creator
Pass
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: LOWPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection because it interpolates untrusted user-provided process descriptions directly into its task execution logic. 1. Ingestion points: User-provided process descriptions entering via $ARGUMENTS or follow-up messages. 2. Boundary markers: Absent; there are no delimiters (e.g., XML tags or triple quotes) used to isolate user input from the skill's instructions. 3. Capability inventory: The skill can read 'FOUNDER_CONTEXT.md' and use the 'AskUserQuestion' tool. 4. Sanitization: None; the skill does not validate or filter the user-provided text before processing.
- [Data Exposure] (INFO): The skill intentionally reads 'FOUNDER_CONTEXT.md' from the project root. While this is a documented feature for personalization, a malicious user could potentially use prompt injection to trick the agent into leaking the sensitive business context contained within that file.
Audit Metadata