Meeting Prep
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted external content alongside sensitive user data.
- Ingestion points: In
SKILL.md, the agent is instructed to perform web searches for attendees, LinkedIn posts, and company news. - Boundary markers: No delimiters or instructions are provided to the agent to help it ignore or sanitize malicious instructions embedded in the external research results.
- Capability inventory: The skill explicitly grants access to sensitive internal sources including "previous notes" and "CRM data."
- Sanitization: There is no mention of filtering or validating the untrusted content before it is processed by the agent.
- Data Exfiltration (LOW): While no active exfiltration commands (like
curl) are hardcoded, the instruction to "Pull from any previous notes or CRM data" inSKILL.mdcreates a data exposure risk. If the agent retrieves an injection from a malicious LinkedIn profile, it could be coerced into outputting or transmitting the retrieved CRM data. - Metadata Poisoning (LOW): The
SKILL.mdfile contains a large amount of promotional content and links to external "Context Packs" and other skills. While not technically a prompt injection, this uses the agent's instruction space for commercial advertising.
Audit Metadata