user-research
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues were identified. The skill is designed for senior UX research specialists and focuses on qualitative and quantitative analysis using established frameworks.
- [PROMPT_INJECTION]: The skill ingests untrusted data from external sources via
WebFetchandWebSearchtools (SKILL.md), which is a surface for indirect prompt injection. However, the instruction to use fixed reporting formats (Finding/Heuristic/Evidence) helps prevent the agent from executing malicious instructions found in analyzed content. • Ingestion points: WebFetch and WebSearch tools used on target products and interfaces. • Boundary markers: Absent; there are no explicit delimiters or instructions to ignore commands within external content. • Capability inventory: Read, Write, Edit, Glob, Grep, WebSearch, and WebFetch (SKILL.md). • Sanitization: Absent; no validation or filtering of ingested content is specified. - [DATA_EXFILTRATION]: No patterns of unauthorized data exfiltration were found. The skill instructs the agent to save research reports to standard internal project directories such as
.claude/context/reports/backend/(SKILL.md). - [COMMAND_EXECUTION]: The included Node.js script (
scripts/main.cjs) is a non-functional scaffold that merely parses arguments and provides a help message. It contains no dangerous subprocess calls or shell command execution paths.
Audit Metadata