brand-kit
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill requests file paths from the user in Step 0 and uses the 'Read' tool to access them. While intended for brand assets, this pattern allows for the reading of arbitrary local files if the agent is influenced to target sensitive system paths.
- [PROMPT_INJECTION]: In Step 1, the skill ingests untrusted data from the web using tools like FirecrawlScrapeTool, FetchInstagramProfileTool, and Perplexity. This creates a surface for Indirect Prompt Injection where malicious instructions embedded in external websites or social profiles could hijack the agent's behavior during the brand strategy and delivery phases. Evidence includes scraping of competitor sites, social media profiles, and forums (SKILL.md).
- [COMMAND_EXECUTION]: The skill executes shell commands using the 'infsh' CLI tool to generate images and uses system commands to open generated HTML files in the browser. These capabilities represent a high-privilege tier that could be misused if the agent's logic is compromised.
Audit Metadata