rag-retrieval
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements Retrieval-Augmented Generation (RAG) patterns that ingest data from untrusted external sources (web search results and vector databases) and interpolate it directly into LLM prompts.
- Ingestion points: External data enters the agent context via
retrieve_documentsinscripts/rag-pipeline-template.tsand theWebSearcherclass inscripts/scripts/crag-workflow.py. - Boundary markers: Prompt templates in
rules/core-basic-rag.mdandscripts/rag-pipeline-template.tsuse simple delimiters like "Context:\n" without robust escaping or explicit instructions to the model to ignore instructions embedded within the retrieved text, creating a surface for indirect prompt injection. - Capability inventory: The skill is configured to use capabilities such as
WebFetch,WebSearch, and database access (SQLAlchemy/PGVector), which could be leveraged by an attacker if an injection is successful. - Sanitization: There is no evidence of content sanitization, filtering, or validation of the retrieved data before it is presented to the language model.
Audit Metadata