ag2-network-tools-and-views
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill documents the use of 'ViewPolicy' protocols, such as 'FullTranscript' and 'WindowedSummary', which project untrusted channel history into the agent's context. This architectural choice creates an attack surface for indirect prompt injection, where malicious instructions from other participants could be processed by the agent.
- Ingestion points: In 'SKILL.md', the 'WAL' (Write-Ahead Log) acts as the entry point for untrusted data from network participants.
- Boundary markers: No explicit message delimiters or 'ignore' instructions for interpolated content are mentioned in the documentation.
- Capability inventory: The agent is granted capabilities such as 'delegate' for remote execution and 'channels' for lifecycle management, which could be abused if an injection is successful.
- Sanitization: There is no evidence of sanitization or content filtering for messages retrieved from the history.
Audit Metadata