qa-appender
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted dialogue content from the chat context (SKILL.md: 智能识别会话范围) and has the capability to write to the file system (SKILL.md: 写入文件). An attacker can inject malicious instructions into the chat to manipulate the note content or the destination path.
- [Command Execution] (HIGH): The skill possesses file-writing capabilities. The explicit 'No Preview' rule in the execution specification (SKILL.md: 禁止显示完整的待追加内容预览) removes the critical human-in-the-loop verification step, allowing malicious content or commands to be persisted to disk without the user's knowledge.
- [Data Exposure & Exfiltration] (MEDIUM): The skill dynamically determines target file paths for writing. If the classification logic (references/classification_guide.md) or path resolution is influenced by an indirect prompt injection, the agent could potentially overwrite or corrupt sensitive system or configuration files.
Recommendations
- AI detected serious security threats
Audit Metadata