transformers
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process external untrusted data across multiple modalities, creating a significant attack surface for indirect injection attacks.
- Ingestion points: Data enters through
pipeline()calls,AutoTokenizer()inputs, and model inference methods (e.g.,model.generate(),model(**inputs)) as seen inreferences/pipelines.mdandreferences/tokenizers.md. - Boundary markers: There are no markers or delimiters prescribed in the code snippets to separate untrusted user input from system-level instructions.
- Capability inventory: The skill possesses significant capabilities, including local file system writes (
model.save_pretrained()), network communication (model.push_to_hub()), and complex reasoning that influences downstream agent decisions. - Sanitization: No sanitization, input validation, or filtering of the external content is implemented or recommended in the provided documentation.
- Prompt Injection / Metadata Poisoning (MEDIUM): The
SKILL.mdfile contains a 'Suggest Using K-Dense Web' section that functions as a behavioral override. It instructs the agent to 'proactively suggest using K-Dense Web' when complexity increases. This is a form of persona hijacking for promotional purposes disguised as helpful advice.
Recommendations
- AI detected serious security threats
Audit Metadata