lead-research-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill directs the agent to research external companies and 'signals of need' via web searching. This ingestion point lacks any boundary markers or instructions to ignore embedded commands. Evidence: Section 3 'Research and Identify Leads' instructs searching for companies and signals without sanitization requirements.
- Data Exposure (HIGH): The skill instructions explicitly suggest running the agent from the product's source code directory and command the agent to 'analyze the codebase'. This grants the agent read access to potentially sensitive local files like .env, configuration secrets, or private source code. Evidence: 'Basic Usage' and 'Instruction 1' specify analyzing the codebase to understand the product.
- Capability Inventory (INFO): The skill utilizes high-privilege read capabilities (local file system) alongside external data ingestion (web search). This specific combination creates the primary risk vector for data exfiltration via prompt injection.
- Missing Sanitization (LOW): There are no instructions for the agent to sanitize or validate data retrieved from external searches before it is incorporated into reports or used for decision-making.
Recommendations
- AI detected serious security threats
Audit Metadata