content-reviewer
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it is designed to ingest and process untrusted external data (marketing drafts) provided by users through direct pasting, file uploads, or URLs.
- Ingestion points: In SKILL.md, step 1 explicitly instructs the agent to read the full piece before doing anything else.
- Boundary markers: The instructions do not specify the use of delimiters or "ignore embedded instructions" markers to isolate the untrusted content from the agent's core logic.
- Capability inventory: The skill possesses the ability to call several tools (list_marketing_references, get_marketing_context, search_docs, search_content, get_voice_profile) to query internal systems. While these are read-only operations, an attacker could embed instructions in a draft to manipulate these queries or probe the internal database.
- Sanitization: There is no mention of sanitizing, escaping, or validating the input content before it is processed by the agent's reasoning engine or passed as arguments to tools (e.g., the feature name in search_docs).
Audit Metadata