file-reference
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because its primary function is to ingest and process untrusted external data (files and URLs).
- Ingestion points: Processes user-supplied file paths (e.g.,
@file://...) and URLs (e.g.,@url://...) provided in the dialogue. - Boundary markers: Absent. The skill instructions do not define delimiters or warnings to treat the content of the read files as potentially untrusted data.
- Capability inventory: The skill is explicitly allowed to use the
Readtool to access the local file system. - Sanitization: Absent. There is no mention of validating file paths to prevent directory traversal or filtering content to prevent recursive injection.
- Data Exposure (SAFE): While the skill facilitates file reading, the examples provided focus on project-specific paths (
data/stories/,project/notes/) rather than sensitive system directories. No hardcoded credentials or exfiltration patterns were detected. - No Code (SAFE): The skill consists entirely of Markdown instructions and configuration. No executable scripts (Python, Node.js) or shell commands are included.
Audit Metadata