research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by ingesting and distilling content from 20-30+ untrusted external sources including blogs, forums, and GitHub discussions. (1) Ingestion points: WebSearch and WebFetch of external URLs. (2) Boundary markers: Absent; no delimiters or instructions are used to wall off external content. (3) Capability inventory: Write, Edit, and Grep tools allow the skill to persist poisoned content locally. (4) Sanitization: Absent; external data is distilled and written directly to markdown files.
- Downstream Privilege Escalation (HIGH): Research documents produced by this skill are explicitly designed to be discovered and used by the
/planand/specskills. A poisoned document could cause the agent to generate malicious execution plans or insecure technical specifications in future sessions. - Data Exposure (MEDIUM): The skill performs recursive greps (
grep -r) on local directories likeideas/andshared/docs/. This may inadvertently capture sensitive internal information or secrets and include them in the synthesized research output. - Command Execution (LOW): The skill utilizes shell-like utilities (
grep,glob) for local file discovery. While intended for search, these provide the mechanism for locating and processing sensitive data at scale.
Recommendations
- AI detected serious security threats
Audit Metadata