rag-retrieval
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements various RAG architectures which, by design, ingest untrusted content from external sources (databases and web search) and interpolate it into the agent's prompt context. This creates a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the context via vector database retrievers (e.g., Pinecone, PGVector) and web search results (via the Tavily API).
- Boundary markers: While some patterns use delimiters such as
<document>or<chunk>tags, others rely on simple string concatenation, which is less resistant to adversarial content. - Capability inventory: The skill possesses network access via authorized tools (WebSearch, WebFetch) and file system access (writing extracted images to /tmp in the multimodal-chunking rule).
- Sanitization: The provided templates do not demonstrate explicit sanitization or filtering of retrieved data for malicious instructions.
- [EXTERNAL_DOWNLOADS]: The skill relies on and provides examples for numerous third-party libraries and APIs, including OpenAI, Anthropic, Cohere, Pinecone, and Tavily. These are well-known technology services, and their use in this skill is consistent with its stated purpose of building RAG pipelines.
Audit Metadata