research
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of ingesting and processing untrusted data.
- Ingestion points: SKILL.md Step 1 (User input for task descriptions and IDs), Step 3 (Full read of codebase files), and Step 6 (Results from the web-researcher agent).
- Boundary markers: No boundary markers or 'ignore' instructions are present to encapsulate ingested data when passed to sub-agents.
- Capability inventory: File writing, ripgrep scanning, agent orchestration, and web research.
- Sanitization: The instructions do not define any sanitization or validation logic for external data or user-provided identifiers before they are used in file paths or prompts.
- [DATA_EXFILTRATION]: Potential path traversal risk in file management. In Step 5, the skill creates or updates files at
./apex/tasks/[identifier].md. Since theidentifiercan be directly set to a user-provided Ticket ID (Step 1), a malicious input could attempt to traverse directories and write files to unintended locations. - [DATA_EXFILTRATION]: Risk of sensitive data exposure during external research. The
web-researcheragent in Step 6 is provided with the 'Context' of the research task, which may include sensitive code snippets or architecture details retrieved from the codebase in Step 3, potentially leaking them to external search providers or APIs. - [COMMAND_EXECUTION]: Potential for command injection via the triage scan in Step 4. The skill generates keywords from the user-influenced 'enhanced prompt' and uses them in a
rg(ripgrep) command. If the execution environment does not properly escape these keywords, special shell characters could be used to manipulate the command.
Audit Metadata