action-queue
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core architecture allows 'objects' to push prerequisites onto the queue ('Food Chain Pattern'), creating a significant attack surface.
- Ingestion points: Actions are ingested from external YAML configurations (
agent.yml,character.yml) and object 'advertisements' processed at runtime. - Boundary markers: Absent. The queue does not use delimiters or instructions to distinguish between trusted system commands and potentially malicious external inputs.
- Capability inventory: The skill is explicitly granted
write_file,read_file, andlist_dirtools, allowing injected tasks to perform permanent file system modifications. - Sanitization: Absent. There is no evidence of validation or filtering for actions added to the queue via the 'DO', 'URGENT', or 'push' mechanisms.
- Data Exposure (LOW): The inclusion of
read_fileandlist_dirin theallowed-toolsmetadata increases the risk of sensitive information disclosure if the action queue is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata