empathic-templates
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill design treats template placeholders (e.g., {{describe_X}}, {{generate_Z}}) as active instructions for the LLM. This allows an attacker to inject system-level overrides or malicious directives into the context or template parameters, which the LLM will then execute during the instantiation process.
- Indirect Prompt Injection (HIGH): This skill has a severe vulnerability surface due to its core functionality. (1) Ingestion points: The INSTANTIATE, PREVIEW, and VALIDATE methods in CARD.yml accept untrusted 'template' and 'context' data. (2) Boundary markers: No markers or delimiters are used to separate untrusted user data from the template's logic. (3) Capability inventory: The skill requires 'write_file', which can be weaponized if the LLM is subverted. (4) Sanitization: No sanitization or input validation is performed on the data before it is interpolated into the prompt.
- Command Execution (HIGH): By subverting the LLM via a malicious template, an attacker can control both the 'output_path' and the 'result' of the INSTANTIATE method. This allows for overwriting sensitive system files (e.g., .bashrc, authorized_keys) or creating new malicious scripts, leading to host compromise.
- Metadata Poisoning (MEDIUM): The skill-snitch-report.md file is a deceptive artifact that mimics a security audit to provide a false 'APPROVE' verdict, likely intended to misdirect automated scanners or human reviewers.
Recommendations
- AI detected serious security threats
Audit Metadata