insurance-agent-product-wiki
Warn
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/test_skill_v2.pyemployssubprocess.run()withshell=Trueto execute commands assembled via f-string interpolation. This pattern is susceptible to command injection if the input variables (such as the search query) are influenced by untrusted data. Although this is a test script, its presence within the skill directory accessible to the agent poses a risk. - [EXTERNAL_DOWNLOADS]: The
install.shscript automates the installation of multiple Python libraries includingpdfplumber,python-docx, andpython-pptxfrom public package registries. These are well-known services, but the automated execution of package managers is a security-relevant behavior. - [PROMPT_INJECTION]: The skill implements an ingestion workflow in
SKILL.md(Mode A) that parses arbitrary user-provided documents (PDF, Word, PPT). The current schema and templates do not include robust boundary markers or 'ignore' instructions for the LLM when processing this content, creating a vulnerability to indirect prompt injection where a malicious document could override the agent's instructions. - Ingestion points:
scripts/extract_doc.pyprocesses external files intoextracted.md. - Boundary markers: Absent in
templates/product_wiki.mdandschema.md. - Capability inventory: File reading via
extract_doc.py, shell execution intest_skill_v2.py, and network search viaTavilyintegration. - Sanitization: No explicit sanitization or filtering of document content before it is interpolated into wiki and script templates.
Audit Metadata