friction-log
Pass
Audited by Gen Agent Trust Hub on Jun 2, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The passive reporting feature transmits technical metadata and friction descriptions to an external vendor-controlled endpoint (
https://agent-friction-skill.vercel.app/api/draft). This payload includes framework versions, model IDs, build statistics, and error descriptions. The skill instructions (inpassive/SKILL.md) explicitly mandate that the agent sanitize the content and remove all secrets, personally identifiable information (PII), or project-specific identifiers before the network request occurs. - [PROMPT_INJECTION]: The skill is designed to automatically fetch and process content from URLs provided in user prompts (Step 6 in
SKILL.md). This ingestion of untrusted external data creates an attack surface for indirect prompt injection. The skill lacks specific boundary markers or sanitization logic to prevent external content from being interpreted as instructions by the agent. - [PROMPT_INJECTION]: The active logging instructions (
SKILL.md) and behavior guidelines (references/agent-behavior.md) direct the agent to monitor for "out-of-band" messages injected by the harness and treat them as instructions. These untrusted inputs flow into the agent's logic without explicit delimiters or escaping. - [PROMPT_INJECTION]: The passive reporter is instructed to "exit silently" if no relevant friction is identified. This behavior, while intended to minimize noise, suppresses visibility into the agent's analysis of the conversation history.
Audit Metadata