start-work
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it reads and processes content from potentially untrusted sources like an 'Inbox' or 'Context' folder. Evidence Chain: 1. Ingestion points: /Users/ugreen/Documents/obsidian/00 收件箱/ and AI_MEMORY folders. 2. Boundary markers: None identified to delimit note content from instructions. 3. Capability inventory: Uses Read tool to access files and triggers downstream skills like topic-agent. 4. Sanitization: No validation or escaping of the note content is performed before interpolation into prompts.
- [DATA_EXFILTRATION] (LOW): The skill targets specific local file paths in the user's home directory (/Users/ugreen/). While these are note files intended for processing, accessing personal document directories is a sensitive operation. No evidence of unauthorized network transmission was found.
Audit Metadata