Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill accepts external content and has the capability to perform public actions (social media posting).
- Ingestion points: The
post_captionfield inSKILL.mdis intended for user-provided or agent-generated text. - Boundary markers: There are no delimiters or instructions to ignore embedded commands within the input data.
- Capability inventory: The skill uses
refly skill runto execute a remote workflow that publishes content to Instagram. - Sanitization: No evidence of sanitization, escaping, or validation of the caption content before it is sent to the remote API.
- [External Downloads] (MEDIUM): The skill's core logic is managed by an external provider (
refly.ai) and the skill itself is installed from an unverified source. - The installation command
refly skill installdownloads a skill package from a non-whitelisted domain. - The execution logic relies on a remote
workflowIdwhich cannot be locally inspected for security flaws or malicious behavior.
Recommendations
- AI detected serious security threats
Audit Metadata