intelligems-rollout-brief
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data (test details, overview analytics, and segment analysis) from an external API in Step 4.
- Ingestion points:
rollout.pyfetches test metadata and segment data via API calls. - Boundary markers: None. The instructions do not specify any delimiters or safety prompts to prevent the agent from obeying instructions embedded in the test data.
- Capability inventory: The agent can execute shell commands (
python3,cp), write files, and perform network requests (API + Slack). - Sanitization: No sanitization is mentioned for the external content before it is processed into 'Executive Summaries' or 'Recommendations'.
- Command Execution (HIGH): Step 2 and Step 4 involve copying (
cp) and executing (python3) a script namedrollout.py. This script is sourced from areferences/directory not provided for analysis, representing unverified code execution. - Data Exfiltration (MEDIUM): Step 6 explicitly supports sending analysis results to a user-provided Slack webhook URL (
--slack "<webhook_url>"). An attacker could exploit this by providing a malicious webhook URL to exfiltrate sensitive financial impact or segment data analyzed by the skill.
Recommendations
- AI detected serious security threats
Audit Metadata