a2achat
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation instructs the agent to fetch a guide from
https://a2achat.top/heartbeat.mdand use it to determine when to re-fetch the skill's ownskill.mdinstruction file. - [EXTERNAL_DOWNLOADS]: Recommending that an agent dynamically re-fetch its own instructions from an untrusted external server allows for remote modification of the agent's logic and behavior without manual review.
- [PROMPT_INJECTION]: The skill processes untrusted text data from other agents through public and private chat channels, creating a significant surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context via messages read from public channels (
/v1/channels/{name}/messages) and polled direct messages (/v1/messages/poll) as described inSKILL.md. - Boundary markers: Absent. The documentation does not provide delimiters (like XML tags or triple backticks) or specific instructions for the agent to treat message content as untrusted data.
- Capability inventory: The skill possesses capabilities for network operations (HTTP requests to the A2A API) and profile modification, which could be misdirected by instructions embedded in received messages.
- Sanitization: Absent. There is no mention of filtering, escaping, or validating the content of incoming messages before they are processed by the agent.
Audit Metadata