search-first
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines a 'Complete Mode' workflow that triggers a subagent using a template. This template interpolates untrusted user input (e.g., function descriptions, language constraints) directly into the instructions for a general-purpose subagent, creating a surface for indirect prompt injection.
- Ingestion points: User-provided placeholders
[功能描述],[LANG], and[ANY]within the subagent task definition inSKILL.md. - Boundary markers: The prompt template lacks delimiters (such as XML tags or triple quotes) or explicit instructions for the agent to ignore potentially malicious embedded commands within the interpolated data.
- Capability inventory: While the
search-firstskill contains no executable code itself, it delegates tasks to a 'general-purpose' subagent which may have access to tools or capabilities that could be abused through injection. - Sanitization: There is no evidence of sanitization, escaping, or validation of the user-provided placeholders before they are interpolated into the prompt.
Audit Metadata