research-after-failure
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection.
- Ingestion points: The agent is instructed to use
WebFetchandWebSearchto retrieve external content, as well ascatandgrepto read local documentation and source code. - Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the fetched data.
- Capability inventory: The agent has the capability to write to external systems via
gh issue commentand execute shell commands (grep,cat,git log). - Sanitization: No sanitization or validation of the retrieved content is mentioned before it is synthesized into a 'New Approach' or posted as a comment.
- Risk: An attacker could place malicious instructions in documentation or on a website that the agent researches. These instructions could trick the agent into exfiltrating sensitive local data via a GitHub issue comment or executing unauthorized commands during the 'Resume with New Knowledge' phase.
- Data Exposure (MEDIUM): The 'Research Online' protocol explicitly tells the agent to search for the 'Exact error text.'
- Evidence: Error messages in development environments often contain sensitive path information, environment variables, or even hardcoded credentials/tokens. Searching for exact error strings on the public web could leak this sensitive information to search engine logs and third-party trackers.
- Command Execution (LOW): The skill relies on shell commands for local research.
- Evidence: Commands like
grep -r "[keyword]" docs/andgit log --grep="[keyword]"involve interpolating keywords into shell strings. If the 'keyword' is derived from untrusted research findings without proper escaping, it could lead to limited command injection or argument injection.
Recommendations
- AI detected serious security threats
Audit Metadata