ai-rag-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection.
- Ingestion points: Untrusted content from web searches (Tavily Search, Exa Search) and URL extraction tools (Tavily Extract) is captured into shell variables like $SEARCH, $SEARCH_RESULT, and $CONTENT.
- Boundary markers: There are no delimiters, XML tags, or system-level instructions used to separate the external data from the primary agent prompt.
- Capability inventory: The skill uses Bash(infsh *) to execute LLM applications which then process the combined prompt containing the untrusted search results.
- Sanitization: The skill performs no escaping or validation of the variables before they are interpolated into the JSON-formatted input string for the LLM apps.
- [COMMAND_EXECUTION]: The skill requires Bash(infsh *) permissions to execute the inference.sh CLI. This allows for running AI applications and managing user authentication sessions via the infsh login command. This capability is necessary for the skill's primary purpose of orchestration.
- [EXTERNAL_DOWNLOADS]: The documentation provides instructions to download and install additional skills from the inference-sh organization using npx.
Audit Metadata