AnnualReports
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions for the agent to load and apply overrides from a local directory (~/.opencode/skills/CORE/USER/SKILLCUSTOMIZATIONS/AnnualReports/) using files likePREFERENCES.md. This mechanism allows unverified local files to persistently override agent behavior. - [EXTERNAL_DOWNLOADS]: The skill performs network requests to fetch data from external sources:
Tools/UpdateSources.tsfetches from a public repository on GitHub, andTools/FetchReport.tsfetches from arbitrary URLs. This capability could be exploited for Server-Side Request Forgery (SSRF) against internal network resources if malicious URLs are provided. - [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection. Ingestion points:
Tools/FetchReport.tsdownloads external HTML/Text andTools/UpdateSources.tsdownloads a remote README file. Boundary markers: No markers or explicit instructions are provided to the agent to distinguish fetched report content from core system instructions. Capability inventory: The agent is tasked with analyzing the downloaded content, and the skill possesses file-write capabilities (writeFileSyncinTools/FetchReport.tsandTools/UpdateSources.ts). Sanitization: WhileTools/FetchReport.tsstrips HTML tags, it does not filter for natural language instructions designed to subvert the LLM.
Audit Metadata