rss-catchup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection attacks because it ingests untrusted external data and provides the agent with powerful tools.
- Ingestion points:
scripts/rss_helper.pyfetches raw article content and RSS feed entries from arbitrary URLs provided inreferences/feeds.jsonor discovered during execution. - Boundary markers: Absent. The instructions do not define delimiters or provide system-level warnings to the agent to treat the fetched article text as data rather than instructions.
- Capability inventory: The agent is granted
Bash,Write, andEdittools. This allows the agent to execute arbitrary shell commands or modify the local filesystem if it follows instructions embedded in a malicious article. - Sanitization: Absent. While the script strips HTML tags for readability, it does not sanitize the text for natural language instructions that could override the agent's behavior.
- [COMMAND_EXECUTION] (LOW): The skill uses
Bashto execute its helper script and perform file searches withgrep. While these are functional requirements for the skill's workflow, they provide the execution environment that elevates the severity of the prompt injection vulnerability.
Recommendations
- AI detected serious security threats
Audit Metadata