ship-learn-next
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to the combination of external data ingestion and file system write access.
- Ingestion points: In Step 1, the skill reads content from a user-provided
FILE_PATH. This data is untrusted and could contain hidden instructions. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard natural language commands embedded within the input file.
- Capability inventory: The skill utilizes both
ReadandWritetools. While the intended use is to generate a Markdown plan, an attacker could craft an input file that tricks the agent into using theWritetool to create malicious scripts or overwrite configuration files if the environment allows. - Sanitization: The skill lacks any sanitization, filtering, or validation logic for the content read from external sources before it is processed by the agent's reasoning engine.
Audit Metadata