lead-research-assistant
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from web searches, job postings, and company websites to qualify leads. Malicious instructions embedded in these external sources could influence the agent's behavior. Evidence Chain:\n
- Ingestion points: Web search results, company websites, job listings, and news articles.\n
- Boundary markers: Absent. No instructions are provided to the agent to delimit or ignore embedded commands in external content.\n
- Capability inventory: File system access (codebase analysis), web browsing/search, and outreach strategy generation.\n
- Sanitization: None. External data is used directly for analysis and strategy drafting.\n- [Data Exposure] (MEDIUM): The instruction to 'analyze the codebase' to understand the product is broad and lacks specific file path exclusions. This creates a surface for the agent to inadvertently read and disclose sensitive local files such as environment variables (.env), credentials, or private configuration files while attempting to provide context for the business.
Recommendations
- AI detected serious security threats
Audit Metadata