abstract
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through the processing of untrusted local project files.
- Ingestion points: The agent is instructed to read the full content of
index.qmdand various notebooks to extract research questions, methods, and findings (Steps 2 and 3). - Boundary markers: There are no explicit instructions or delimiters defined to separate the data read from external files from the agent's instructions, nor are there warnings for the agent to ignore embedded commands.
- Capability inventory: The skill specifies access to several tools including Bash, Read, Write, Edit, Glob, and Grep, which provide a significant capability set if an injection were to occur.
- Sanitization: The skill description lacks requirements for sanitizing or validating the ingested content before it is used to generate the abstract or update the YAML front matter of
index.qmd.
Audit Metadata