deepresearch
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to process untrusted external content (OSINT, URLs, and user-generated content) which is an inherent attack surface for indirect prompt injection.
- Ingestion points: Ingestion occurs in
collection-strategist.md(URLs/Websites) andverification-expert.md(Image URLs/UGC). - Boundary markers: Explicit boundary markers for fetched browser content are absent in the prompts, though the agents are instructed to use 'evidence anchors'.
- Capability inventory: The agents utilize the
cursor-ide-browsertool for network operations (GET/Archive) and the ability to write/update research files (Markdown). - Sanitization: No technical sanitization of fetched HTML/UGC content is specified before the agent processes it.
- Risk Assessment: While vulnerable to poisoned external data, the framework mitigates this through a multi-agent 'Red Team' and 'Devil's Advocate' approach (Category 8 mitigation), where conclusions are systematically challenged.
- [Prompt Injection] (SAFE): The prompts include explicit 'Ethics & Compliance Guardrails' (
references/ETHICS_GUARDRAILS.md) which instruct the agent to refuse illegal activities, misrepresentation, and privacy violations. This strengthens the agent's resistance to malicious user requests. - [No Obfuscation Detected] (SAFE): The repetitive frontmatter in
subagents/.cursor/agents/README.mdappears to be a formatting artifact rather than a functional obfuscation attempt. - [Tool Access] (INFO): The skill requires external tools like
cursor-ide-browserandcursor-agents-md. These are treated as standard capabilities within the intended environment (Cursor IDE).
Audit Metadata