booking
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): Vulnerable to Indirect Prompt Injection. The skill's primary function is to search and process data from uncontrolled external sources (Booking.com and various 'official' hotel websites).
- Ingestion points: The agent retrieves data through web search queries for hotel details, ratings, and direct website links (defined in Search Process Steps 2 and 4).
- Boundary markers: Absent. There are no instructions or delimiters (like XML tags or markdown blocks) to isolate untrusted web content from the agent's system instructions, nor are there warnings to ignore instructions found within retrieved text.
- Capability inventory: The agent performs web searches, filters data, and generates recommendations. While no direct shell execution or file-write capabilities are explicitly defined in this skill, the agent's reasoning and recommendations are directly influenced by the ingested data.
- Sanitization: Absent. The skill does not provide any mechanism for validating the authenticity of the 'official websites' or sanitizing the text retrieved from search results before presentation to the user.
- [EXTERNAL_DOWNLOADS] (LOW): The skill encourages the agent to find and present 'Direct Website' links. This poses a phishing risk where an attacker could optimize a malicious site to appear as the 'official' site for a hotel in search results, potentially leading the user to a credential-harvesting or malware-distributing domain.
Audit Metadata