weather
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through schema confusion in its output results.
- Ingestion points: The city and days parameters are defined in SKILL.md and ingested by weather_cli.sh via standard input.
- Boundary markers: No delimiters or protective instructions are used to wrap the tool output or prevent the agent from obeying instructions embedded in the weather data.
- Capability inventory: The skill uses a bash script (weather_cli.sh) to generate structured JSON output that is processed by the AI agent.
- Sanitization: Absent. The script uses raw shell variable interpolation to construct its JSON response rather than a dedicated JSON generator. This creates a schema confusion surface where an attacker-provided city name containing quotes and commas can inject arbitrary keys and values into the resulting JSON object.
Audit Metadata