article
Fail
Audited by Gen Agent Trust Hub on Feb 12, 2026
Risk Level: CRITICALDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
================================================================================
🔴 VERDICT: CRITICAL
This skill presents a CRITICAL security risk primarily due to its design which allows it to process arbitrary user-provided file content and URLs. This makes it highly susceptible to indirect prompt injection, which can then be leveraged for data exfiltration or arbitrary command execution.
Total Findings: 4
🔴 CRITICAL Findings: • Indirect Prompt Injection via Arbitrary File/URL Processing
- Line 30: The skill explicitly states it can process 'File path' (e.g.,
implementation_plan.md) and 'URL' (e.g.,https://example.com/some-guide). It uses a 'Read tool to get the content' for files and 'WebFetch to retrieve the content' for URLs. This means the skill will ingest and process content from any source provided by the user. An attacker can craft a malicious file or web page containing hidden instructions (e.g., via obfuscation or simply embedded text) that, when read by the skill, could override the AI's intended behavior. This could lead to the AI being prompted to reveal sensitive local files (e.g.,~/.aws/credentials) or exfiltrate data to an attacker-controlled server via the WebFetch capability, or even execute arbitrary commands if the LLM is capable of using other tools based on the injected prompt.
🔴 HIGH Findings: • Arbitrary File Read Capability
- Line 30: The skill explicitly allows reading content from any user-provided file path. While the stated purpose is to create an article, the LLM gains access to the content of any file, including sensitive ones like
~/.ssh/id_rsaor~/.aws/credentials. This poses a significant risk of sensitive data exposure if combined with prompt injection or other vulnerabilities. • Arbitrary Network Access (WebFetch) - Line 30: The skill uses 'WebFetch' to retrieve content from user-provided URLs. This grants the skill the ability to make arbitrary HTTP requests to any domain. This can be exploited by an attacker to fetch malicious content, trigger external actions, or exfiltrate data if combined with sensitive file access.
🔵 LOW Findings: • External Dependency (Google Fonts)
- Line 209: The skill includes a
<link>tag tohttps://fonts.googleapis.com/css2?...for Google Fonts. While this is an external network request,googleapis.comis a trusted domain. This is noted as an informational finding as it's a common and generally safe practice, but still an external dependency.
================================================================================
Recommendations
- AI detected serious security threats
Audit Metadata