spark
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local pre-compiled binaries (
./spark/tools/memoryand./spark/tools/tavily-search) to perform database operations and network searches. Bundled binaries are opaque, meaning their internal behavior cannot be audited or verified, which poses a risk as they operate with the same privileges as the agent. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to the Tavily search service to gather market research data. This involves sending user-related keywords to an external API and requires the user to provide a
TAVILY_API_KEYin the environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes content from external search results without proper sanitization or boundary markers.
- Ingestion points: Step 4 parses JSON output from the
tavily-searchtool which contains content from arbitrary third-party websites. - Boundary markers: Absent. The instructions do not include delimiters or specific guidance to the agent to ignore any instructions found within the retrieved search data.
- Capability inventory: The skill can execute shell commands via the bundled binaries and maintain state in a local SQLite database (
spark/memory.db). - Sanitization: Absent. There is no evidence of validation or filtering for the external content before it is processed by the agent to generate ideas.
Audit Metadata