Skills
skills/yui-synth-lab/aenea-project/rag/Gen Agent Trust Hub

rag

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is designed to ingest data from untrusted external sources (GitHub repositories) which is then processed by the agent.\n
  • Ingestion points: Identified in SKILL.md under CLI commands (npm run rag:ingest:github).\n
  • Boundary markers: None are specified to protect the LLM context from instructions embedded within the ingested data.\n
  • Capability inventory: The skill is explicitly granted Bash, Read, Grep, and Glob tools, providing a broad attack surface for an injection to trigger side effects.\n
  • Sanitization: No sanitization or validation of the ingested content is mentioned or enforced.\n- Command Execution (HIGH): The inclusion of the Bash tool in allowed-tools combined with automated data ingestion represents a critical security risk. If the agent's reasoning is subverted by malicious data, the shell can be used for system exploration or further exploitation.\n- External Downloads (LOW): The skill automates downloading content from GitHub. While essential for the RAG function, this behavior should be limited to trusted repositories to prevent data poisoning.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:23 AM