PromptInjection

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill contains a high volume of prompt injection, jailbreak, and system prompt extraction payloads (e.g., in COMPREHENSIVE-ATTACK-TAXONOMY.md and Workflows/DirectInjectionTesting.md). These are documented as a library for authorized security research and testing. They do not attempt to maliciously subvert the host agent, but rather provide a reference for testing other target systems.\n- [COMMAND_EXECUTION]: The skill includes a shell script (reconnaissance.sh) and instructions for using CLI tools like curl, wget, npm, and pip. These are used to implement the reconnaissance methodology (mapping attack surfaces) and to install well-known third-party security scanners such as Promptfoo, Garak, and PyRIT.\n- [DATA_EXFILTRATION]: Every workflow file contains a mandatory curl command targeting http://localhost:8888/notify to provide status notifications. This is a local integration pattern and does not involve exfiltration of sensitive data to external domains.\n- [EXTERNAL_DOWNLOADS]: The skill's reconnaissance methodology (APPLICATION-RECONNAISSANCE-METHODOLOGY.md) describes using wget to download JavaScript files and other assets from target web applications for security analysis. This is a standard and expected behavior for web security auditing.\n- [INDIRECT_PROMPT_INJECTION]: The skill utilizes browser automation to ingest and analyze external data (DOM, JS, network logs, and document uploads). This represents a functional requirement for the skill to test for indirect injection vulnerabilities in target applications. The skill acknowledges this attack surface and provides defensive strategies in DefenseMechanisms.md.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — PromptInjection