intelligems-test-debrief
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes a Python script (
debrief.py) copied from a relative path (references/). This allows the skill to perform arbitrary operations on the host system within the user's environment. - DATA_EXFILTRATION (MEDIUM): Provides a mechanism to send data to external Slack webhooks. While intended for automation, this allows the agent to send potentially sensitive business data (test results, visitor segments) to any URL provided during the session.
- INDIRECT PROMPT INJECTION (HIGH):
- Ingestion points: External analytics data (funnel stages, segment labels, test metadata) fetched via API in
debrief.py. - Boundary markers: None identified; data is presented "conversationally" by the agent.
- Capability inventory: File system access (
cp), subprocess execution (python3), and network access (API calls and Slack webhooks). - Sanitization: None described; the agent is instructed to build insights directly from external data, which may contain malicious instructions embedded in test metadata.
- CREDENTIALS_UNSAFE (LOW): Explicitly prompts the user for an API key. While common for such skills, it introduces a risk of credential mishandling if the agent context is later compromised.
Recommendations
- AI detected serious security threats
Audit Metadata