writeup
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from the current and recent agent sessions to generate summaries and blog posts. An attacker could potentially embed malicious instructions in data processed by the agent (e.g., website content or code being analyzed), which the skill would then ingest.
- Ingestion points: Processes 'current session' history, 'recent sessions' (episodic memory), and reads local files including a 'Style Guide' and 'Published Examples'.
- Boundary markers: The instructions do not specify any delimiters or instructions to ignore embedded commands within the ingested session history.
- Capability inventory: The skill has the capability to write content to the local file system (drafts folder) based on processed input.
- Sanitization: No explicit sanitization or validation of the ingested session data is mentioned.
- [DATA_EXPOSURE]: The skill requires access to several user-defined local paths to function correctly, including style guides, writing instructions, and existing draft/published folders. While these paths are provided via placeholders, the skill's operations involve reading and indexing this local content to maintain voice consistency.
Audit Metadata