prompt-assemble
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Prompt Injection (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it facilitates the mixing of untrusted user input and external memory data into agent prompts without demonstrated safeguards.
- Ingestion points: Untrusted data enters the prompt via
user_inputand the results ofmemory_search_fn(referenced inSKILL.md). - Boundary markers: The logic in
SKILL.mdshows simple concatenationassemble(base_context + summarized_memories)with no use of delimiters (e.g., XML tags or Markdown headers) to isolate untrusted content. - Capability inventory: The resulting prompt is intended for a direct LLM call, which typically controls the agent's actions and decisions.
- Sanitization: There is no mention of sanitization, escaping, or validation of the retrieved memories or user-provided triggers before they are injected into the context.
- Metadata Poisoning (LOW): The documentation contains misleading instructions. The 'Quick Start' section directs users to copy
scripts/prompt_assemble.py, but this critical file is missing from the skill package.
Audit Metadata