collaboration
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's architecture creates an indirect prompt injection surface by allowing agents to read and respond to workspace data contributed by multiple participants.\n
- Ingestion points: Data enters the agent's context through
smartDigestandsmartRecallcalls inrecipes/workspace-digest.ts,recipes/multi-agent-account.ts, andrecipes/trigger-dev-bridge.ts.\n - Boundary markers: While the skill encourages the use of structured JSON entries (e.g., in
reference/agent-prompts.md), these markers provide logical structure but do not prevent an LLM from obeying malicious instructions embedded within the data fields.\n - Capability inventory: Agents possess capabilities to write to shared memory (
memory_store_pro), retrieve organizational rules (ai_smart_guidelines), and trigger prompts (client.ai.prompt), which could be misused if influenced by malicious workspace entries.\n - Sanitization: The provided code and templates lack explicit sanitization or filtering logic for the content of workspace entries before they are interpolated into prompts.
Audit Metadata