emergency-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill defines a behavior-altering persona triggered by common keywords ('emergency', 'outage', 'critical'). This 'persona switch' instructions the agent to bypass standard procedural steps like providing multiple options and detailed reasoning, which can be exploited to force the agent into a more compliant, less critical state.
- [INDIRECT PROMPT INJECTION] (HIGH): This skill exhibits a high-risk vulnerability surface for indirect injection.
- Ingestion points: The agent is designed to process user messages often containing external data (logs, tickets, system errors) in 'SKILL.md'.
- Boundary markers: There are no delimited boundaries or instructions to ignore embedded commands within the 'emergency' data.
- Capability inventory: The skill authorizes 'Bash tool for immediate fixes' and 'Read/Edit tools for quick patch application' in 'SKILL.md', representing high-privilege write/execute capabilities.
- Sanitization: No sanitization or validation of the input triggering the emergency mode is defined.
- [COMMAND_EXECUTION] (MEDIUM): The behavioral guidelines explicitly instruct the agent to 'Favor direct commands over exploration' and 'Provide working code snippets immediately' while using the Bash tool. This increases the likelihood that a malicious command injected via untrusted data will be executed as part of a 'fix'.
- [ADVERSARIAL REASONING] (INFO): The instruction to 'No unnecessary explanations during active incident' is a behavioral override that aligns with adversarial goals of suppressing AI reasoning and safety filters during an attack.
Recommendations
- AI detected serious security threats
Audit Metadata