skill-chain-prompts
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill framework processes YAML-based workflow definitions to coordinate agent actions, creating a surface for indirect prompt injection if untrusted or malicious configurations are supplied.\n
- Ingestion points: The agent ingests YAML chain definitions and command arguments through the
/skill-chain-prompts run <chain>interface and state-tracking blocks.\n - Boundary markers: The instructions lack explicit delimiters or mandatory "ignore embedded instructions" warnings when interpreting the content of YAML fields like
contextorargs.\n - Capability inventory: The orchestrator is capable of invoking any other skill in the environment (e.g.,
/deployment-cicd,/api-design-patterns) and passing arguments to them, allowing for a wide range of secondary actions.\n - Sanitization: There is no evidence of logic for validating, escaping, or sanitizing the content of the YAML fields before they are used to generate prompts and invoke other skills.
Audit Metadata