rag-search
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a retrieval-augmented generation (RAG) pattern that is vulnerable to indirect prompt injection due to the lack of sanitization of indexed content.
- Ingestion points: Document content enters the agent's context through the
searchDocumentsandindexDocumentsfunctions inrag-search.js, which read files from the directory specified by the user-provided--pathargument. - Boundary markers: The skill output contains raw document chunks without delimiters, boundary markers, or specific instructions to the agent to treat the retrieved text as untrusted data.
- Capability inventory: The script performs file system operations including directory traversal (
fs.readdirSync), reading files (fs.readFileSync), and writing the search index to the local user directory (fs.writeFileSync). It also defines a class for network requests to OpenAI's embeddings API, although this is currently unused in the main execution flow. - Sanitization: No sanitization, escaping, or validation is performed on the content of the indexed documents before the text is returned as a search result.
Audit Metadata