multi-agent
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection across its agent chain.\n
- Ingestion points: The skill takes raw user input ({{question}}) and intermediate agent outputs ({{agent_1_response}}, {{agent_2_response}}) and interpolates them directly into subsequent prompts in SKILL.md and prompts/judge.md.\n
- Boundary markers: No clear delimiters or XML tags are used to isolate untrusted content. There are no instructions to the sub-agents to ignore potentially malicious commands embedded in the processed data.\n
- Capability inventory: The sub-agents are invoked using the Task tool. If a prompt injection occurs, an attacker could potentially trick a sub-agent into using the environment's tools (file read/write, shell execution) in unintended ways.\n
- Sanitization: There is no logic to sanitize or escape the content of the variables before they are presented to the AI models.
Audit Metadata