rsvp-comprehension-agent
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion process.
- Ingestion points: The skill is designed to load and process a JSON "token stream" file generated by an external source (the
rsvp-readingskill). - Boundary markers: The instructions lack explicit boundary markers or directives for the agent to ignore any natural language instructions that might be embedded within the processed token stream.
- Capability inventory: The skill utilizes the
Bash,Read, andWritetools to manage session logs and stats. - Sanitization: There is no evidence of sanitization or content validation for the data ingested from the token stream file.
- [COMMAND_EXECUTION]: The configuration file named
hookscontains a potential directory traversal string. - Evidence: The
hooksfile contains the relative path../../hooks. - Risk: This pattern points to a directory two levels above the skill's own root directory. If the underlying platform uses this file to locate and execute lifecycle scripts (hooks), this configuration could allow the skill to trigger the execution of unauthorized files located on the host system or in a parent directory, potentially escaping intended sandbox constraints.
Audit Metadata