subask
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill directly interpolates raw user input into the prompt for a sub-agent without using boundary markers or escape sequences, allowing user-provided text to potentially override the sub-agent's instructions.
- [COMMAND_EXECUTION]: The sub-agent is granted access to the current working directory and is explicitly intended to perform system-level tasks such as file manipulation and git operations, which increases the impact of successful prompt manipulation.
- [DATA_EXFILTRATION]: The skill automatically includes the current working directory path in the context sent to the sub-agent, leading to path exposure.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface Evaluation: 1. Ingestion points: User input from $ARGUMENTS in SKILL.md. 2. Boundary markers: None present to distinguish user input from system instructions. 3. Capability inventory: The sub-agent has filesystem access and task execution capabilities via the Task tool. 4. Sanitization: No validation or escaping is applied to the input before interpolation.
Audit Metadata