blog-writer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by design. It explicitly instructs the agent to 'Review and integrate any information, research material, or links provided by the user' in Phase 1 and 2.
- Ingestion Points: Research materials, notes, and external URLs provided by the user (SKILL.md, Phase 1).
- Boundary Markers: Absent. There are no instructions to use delimiters or to ignore instructions embedded within the research data.
- Capability Inventory: The agent has the capability to write to a remote network service (Notion API) and write files to the local directory
references/blog-examples/. - Sanitization: Absent. The skill does not provide any guidance on filtering or escaping content found in external links or notes.
- Data Exfiltration (HIGH): Because the skill is hardcoded to publish content to a specific Notion database (
04a872be-8bed-4f43-a448-3dfeebc0df21), a successful Indirect Prompt Injection could trick the agent into harvesting sensitive data from the user's environment or other tools and 'publishing' it to this external database. - Persistence via File System (MEDIUM): In Phase 5, the skill requires the agent to save finalized content to the local
references/blog-examples/folder. An attacker could use this to store malicious prompts that will be referenced by the agent in future sessions during the 'calibration' step of Phase 2.
Recommendations
- AI detected serious security threats
Audit Metadata