research
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's architecture for processing web research data is vulnerable to indirect prompt injection. This occurs because the agent ingests untrusted content from external websites and processes it through sub-agents and a synthesis lead without sufficient isolation or validation.
- Ingestion points: Untrusted data is retrieved from the web via 'WebFetch' and distributed to parallel workers as documented in SKILL.md.
- Boundary markers: There are no instructions for using delimiters or boundary markers to separate fetched content from agent instructions, nor are there warnings to ignore embedded commands.
- Capability inventory: The skill writes findings to the local disk in the .gm/ directory and uses an 'exec:memorize' command to persist knowledge.
- Sanitization: The skill lacks explicit procedures for sanitizing or escaping the data fetched from external sources before it is processed.
Audit Metadata