openrouter-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill creates a significant attack surface for indirect prompt injection by facilitating the ingestion of untrusted data (prompts and vision inputs) paired with autonomous tool-calling capabilities. In 'reference/tool-calling.md', the use of 'create_react_agent' allows the model to trigger side-effect functions like 'create_order' without human intervention.\n
- Ingestion points: Data enters through 'llm.invoke' in 'SKILL.md' and message lists in 'reference/tool-calling.md'.\n
- Boundary markers: No boundary markers or delimiters are used to separate system instructions from untrusted content in the provided implementation examples.\n
- Capability inventory: Includes tool execution side effects (e.g., 'create_order') and network requests to external providers via 'openai_api_base'.\n
- Sanitization: No input validation or sanitization of LLM-returned data is shown before it is passed to sensitive tool implementations.
Recommendations
- AI detected serious security threats
Audit Metadata