ask-a-human
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to manipulation by anonymous participants in the human pool.\n
- Ingestion points: Untrusted text responses from api.ask-a-human.com are integrated into the agent's decision-making logic.\n
- Boundary markers: No delimiters or safety instructions are used to isolate the human-provided content from the agent's internal logic.\n
- Capability inventory: The agent uses exec for network calls and is directed to act upon the 'consensus' of the untrusted inputs.\n
- Sanitization: No sanitization is performed on the incoming responses.\n- Data Exfiltration (HIGH): The skill explicitly instructs the agent to provide 'full context' to a pool of 'random strangers.'\n
- Evidence: SKILL.md states: 'Include all necessary context in the question itself' and 'The strangers answering have no context beyond what you provide... Write self-contained questions.' This creates a high risk of the agent leaking sensitive user information, credentials, or internal data to unvetted third parties.\n- Command Execution (MEDIUM): The skill requires the agent to use an exec tool to perform network operations via curl. This capability, when combined with the potential for indirect prompt injection from the human responses, increases the risk of the agent being tricked into executing unauthorized commands.
Recommendations
- AI detected serious security threats
Audit Metadata