annotation
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and acts upon instructions (annotations) found within user-provided documents.
- Ingestion points: The skill reads external files, such as
PLAN.md, to detect review signals (described in 'Required behavior' step 1). - Boundary markers: It uses markers like
ADD,DELETE, and===to identify sections to process, but these do not prevent the agent from executing instructions embedded within those sections. - Capability inventory: The skill allows the agent to modify the file system by applying edits directly to documents (described in 'Required behavior' step 4).
- Sanitization: There is no evidence of content sanitization or instruction filtering for the text found within the annotation blocks.
Audit Metadata