skill-composer-studio
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The core functionality of the skill involves chaining outputs to inputs ('Output from step N becomes input for step N+1') without safety boundaries.
- Ingestion points: Data enters the context via the output of chained skills (SKILL.md).
- Boundary markers: The instructions lack requirements for delimiters or 'ignore embedded instructions' prompts when passing data between tools.
- Capability inventory: The skill claims to 'Execute the full workflow' using 'all 81 skills in the catalog.' This suggests the orchestrator can trigger tools with side effects (file writes, network access, or command execution) based on potentially poisoned data from a preceding step.
- Sanitization: No sanitization, escaping, or validation of the data being passed between workflow steps is defined, allowing malicious data to be interpreted as agent commands.
Recommendations
- AI detected serious security threats
Audit Metadata