internal-comms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and summarize data from potentially attacker-controlled sources, creating a significant vulnerability surface.\n
- Ingestion points: The files
examples/3p-updates.md,examples/company-newsletter.md, andexamples/faq-answers.mdinstruct the agent to read Slack messages, Google Drive documents, Emails, and Calendar events. It also specifically suggests looking for external press inexamples/company-newsletter.md.\n - Boundary markers: There are no instructions to use delimiters or ignore embedded instructions within the retrieved content, making it impossible for the agent to distinguish between data and malicious commands.\n
- Capability inventory: The agent produces high-impact outputs such as company-wide newsletters, leadership updates, and internal FAQs. If the agent automatically posts these (as suggested by the instruction 'It will be sent via Slack and email') or if a user trusts the summary, malicious content could be distributed to the entire organization.\n
- Sanitization: The skill lacks any sanitization or validation of the external content. It specifically looks for high-engagement items (messages with many reactions or responses), which are primary targets for attackers seeking to influence the agent's output.
Recommendations
- AI detected serious security threats
Audit Metadata