tool-design
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill describes a 'Tool-Testing Agent Pattern' (SKILL.md) that is vulnerable to indirect prompt injection. This pattern involves an agent processing 'failure examples' to refine its own tool descriptions.
- Ingestion points: The
failure_examplesvariable in theoptimize_tool_descriptionpattern (SKILL.md). - Boundary markers: Absent. The example snippet interpolates the untrusted data directly into a format string without delimiters or instructions to ignore embedded content.
- Capability inventory: The skill advocates for tools with bash command execution (
execute_command) and SQL access (execute_sql), creating a high-impact target for successful injections. - Sanitization: Absent. There is no mention of validating or escaping the failure data before processing.
- [COMMAND_EXECUTION]: The skill explicitly promotes 'Architectural Reduction' (references/architectural_reduction.md) as a production-ready design pattern. This approach replaces narrow, specialized tools with a single tool for arbitrary bash command execution. While the documentation recommends using a sandbox (e.g.,
vercel-sandbox), the promotion of such a high-privilege primitive significantly increases the attack surface and potential for lateral movement if the agent is compromised.
Audit Metadata