tavus-cvi-knowledge
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [Prompt Injection] (HIGH): The skill exhibits a significant surface for Indirect Prompt Injection.
- Ingestion points: Untrusted data enters the agent context via the 'document_url' parameter and 'crawl_pages' functionality in SKILL.md.
- Boundary markers: Absent; there are no instructions or delimiters provided to help the agent distinguish between its system prompt and content retrieved from documents.
- Capability inventory: The persona uses retrieved content to influence reasoning and responses, which are then persisted across sessions via 'memory_stores' (SKILL.md).
- Sanitization: Absent; the documentation does not describe any validation or filtering of the content fetched from remote URLs.
- [Data Exfiltration] (MEDIUM): Potential for Server-Side Request Forgery (SSRF) via the document retrieval system.
- Description: The 'document_url' field in the document creation API allows the Tavus backend to fetch content from any provided URL. If the backend does not implement strict URL validation, attackers could use this to scan internal networks or access sensitive metadata services.
- [Credentials Unsafe] (LOW): Use of API key placeholders in documentation.
- Description: The curl examples use 'x-api-key: YOUR_API_KEY'. While safe as a placeholder, it reminds users that improper handling of these secrets could lead to credential exposure.
Recommendations
- AI detected serious security threats
Audit Metadata