account-research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external data that could contain malicious instructions designed to manipulate the agent's behavior.
- Ingestion points: Web search results, news headlines, LinkedIn profile summaries, and job postings are ingested at runtime (SKILL.md Step 2).
- Capability inventory: The skill accesses high-value internal data including CRM opportunity history, private notes, and contact lists (SKILL.md Step 4).
- Boundary markers: No delimiters or safety instructions are defined to help the agent distinguish between 'research data' and 'system instructions'.
- Sanitization: There is no mention of filtering or escaping external content before it is synthesized with internal CRM data (SKILL.md Step 5).
- [Data Exposure] (MEDIUM): The skill is explicitly designed to retrieve and display PII and sensitive business history.
- It accesses 'verified emails', 'phone numbers', and 'opportunity history' (past deals won/lost).
- While this is the intended functionality, the lack of input validation on the search terms or the resulting data increases the risk that an attacker could craft a web page to bait the agent into revealing more than intended.
Recommendations
- AI detected serious security threats
Audit Metadata