postel
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The core logic of the 'POSTEL' protocol instructs the agent to 'find the best possible interpretation' of messy or ambiguous data and specifically advises 'Don't assume malice.' This is a dangerous directive that can be exploited to bypass safety filters or execute malicious instructions hidden in data. Evidence Chain: 1. Ingestion points: Processes all user commands, data fields, and ambiguous instructions. 2. Boundary markers: None; the agent is told to merge and interpret rather than isolate. 3. Capability inventory: Allows 'read_file' and 'write_file' (SKILL.md metadata). 4. Sanitization: Absent; the protocol prioritizes 'Charity' over 'Validation.'
- [Command Execution] (MEDIUM): The protocol encourages taking 'constructive action' based on inferred intent (e.g., 'Move to trash' or 'List for review') combined with the 'write_file' capability. An attacker can provide ambiguous input that the agent, following this skill, charitably interprets as a request to modify or create files.
Recommendations
- AI detected serious security threats
Audit Metadata