rabbit-hole
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The orchestrator instructions in SKILL.md for Phase 3 direct the agent to execute a shell command where findings from external investigators are piped into a Python script using the echo command. This pattern is susceptible to command injection if the findings contain shell metacharacters such as single quotes.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). Ingestion points: Data enters the pipeline via the Investigator agents in Phase 2. Boundary markers: No delimiters or instructions are provided to isolate the untrusted investigator findings from the orchestrator's instructions. Capability inventory: Sub-agents have access to tools for file reading, searching, and local script execution. Sanitization: External data is interpolated directly into the prompt templates without any form of escaping or validation.
- [DATA_EXFILTRATION]: The scripts/validate_sources.py script allows checking for the existence and reading of local files based on paths provided in its input. Because these paths are sourced from external search results, an attacker could potentially use this mechanism to probe for or access sensitive files on the system.
Recommendations
- AI detected serious security threats
Audit Metadata