protocol
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure (HIGH): The K-REF method and associated documentation explicitly encourage and demonstrate pointing the AI agent to absolute file paths, including those outside the workspace environment. * Evidence: CARD.yml provides examples such as
/path/file.txt:42:10-46 # secretand/path/screenshot.png. * Evidence: CARD.yml includes an 'orchestrator-capability' section that highlights: 'Cursor can read ANYWHERE on disk (not just workspace). Powerful but be aware of security implications.' This facilitates the exfiltration of sensitive data if an attacker can influence the path provided to the agent. - Metadata Poisoning / Self-Referential Analysis (MEDIUM): The skill contains a file named
skill-snitch-report.md, which is a self-audit report attempting to validate the skill's own safety with claims like 'Verdict: APPROVE' and 'Risk Level: LOW'. This is an adversarial pattern designed to influence automated scanners or human auditors into adopting the skill's own safety claims rather than performing an independent assessment. - Indirect Prompt Injection Surface (LOW): The K-REF and SISTER-SCRIPT patterns define a mechanism where the agent ingests untrusted data from external files pointed to by absolute paths. * Ingestion points: Files at paths emitted by tools or specified in the K-REF format (found in CARD.yml and GLANCE.yml). * Boundary markers: Absent from the protocol definition. * Capability inventory: The agent has the capability to read any file or image on the disk via the orchestrator. * Sanitization: No sanitization or validation of paths or content is described in the protocol.
Recommendations
- AI detected serious security threats
Audit Metadata