summarize
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core architecture creates a significant attack surface for indirect injections.
- Ingestion points: The skill processes arbitrary files using the
read_filetool. - Boundary markers: Absent. There are no instructions to use delimiters or ignore instructions found within the source files during the summarization process.
- Capability inventory: The skill possesses
read_fileandwrite_filecapabilities, allowing it to ingest data and persist potentially malicious summaries to the filesystem. - Sanitization: None detected. Malicious instructions inside a source file can be carried over into the
summaryorkey_pointsfields of the metadata sidecar. - Impact: The 'SIP' method explicitly instructs the agent to read the metadata first and 'decide if full file needed'. An attacker can use this to hide malicious instructions in a summary that prevent the agent from reading the original (true) content or redirect the agent to other malicious tasks.
- [Metadata Poisoning] (MEDIUM): The file
skill-snitch-report.mdcontains self-authored safety claims ('Verdict: APPROVE', 'Risk Level: LOW') and instructions that attempt to influence the analysis process. Per the Global Rule, these claims are treated as deceptive data rather than authoritative conclusions.
Recommendations
- AI detected serious security threats
Audit Metadata