insurance-agent-product-wiki

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/test_skill_v2.py employs subprocess.run() with shell=True to execute commands assembled via f-string interpolation. This pattern is susceptible to command injection if the input variables (such as the search query) are influenced by untrusted data. Although this is a test script, its presence within the skill directory accessible to the agent poses a risk.
  • [EXTERNAL_DOWNLOADS]: The install.sh script automates the installation of multiple Python libraries including pdfplumber, python-docx, and python-pptx from public package registries. These are well-known services, but the automated execution of package managers is a security-relevant behavior.
  • [PROMPT_INJECTION]: The skill implements an ingestion workflow in SKILL.md (Mode A) that parses arbitrary user-provided documents (PDF, Word, PPT). The current schema and templates do not include robust boundary markers or 'ignore' instructions for the LLM when processing this content, creating a vulnerability to indirect prompt injection where a malicious document could override the agent's instructions.
  • Ingestion points: scripts/extract_doc.py processes external files into extracted.md.
  • Boundary markers: Absent in templates/product_wiki.md and schema.md.
  • Capability inventory: File reading via extract_doc.py, shell execution in test_skill_v2.py, and network search via Tavily integration.
  • Sanitization: No explicit sanitization or filtering of document content before it is interpolated into wiki and script templates.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 06:40 AM
Security Audit — agent-trust-hub — insurance-agent-product-wiki