plain-text
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill implements a 'files-as-state' architecture where the agent interacts with structured text files using
read_fileandwrite_filetools. - Ingestion points: The agent is designed to read
ROOM.yml,CHARACTER.yml, andSESSION.mdas its primary input substrate. - Boundary markers: The skill lacks any definition for delimiters or boundary markers to distinguish between data and instructions within these text files.
- Capability inventory: The YAML frontmatter explicitly authorizes
read_fileandwrite_fileoperations across the filesystem. - Sanitization: No sanitization or validation logic is mentioned. An attacker who can influence the content of a
.ymlor.mdfile (e.g., through a character description or room note) can inject instructions that the agent may execute with its file-writing privileges.
Recommendations
- AI detected serious security threats
Audit Metadata