research-manager

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs dynamic discovery of local assets by executing a shell script that iterates through a directory structure and extracts metadata from files.
  • Evidence: cd /Users/engineer/workspace/backtest/.agents/skills && for d in */; do n="${d%/}"; desc=$(grep -m1 '^description:' "$n/SKILL.md" 2>/dev/null | sed 's/^description: //'); echo "$n :: $desc"; done in SKILL.md.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted metadata from external skill files to define its execution plan.
  • Ingestion points: Processes natural-language user queries and the description fields from SKILL.md files found in the /Users/engineer/workspace/backtest/.agents/skills/ directory.
  • Boundary markers: No delimiters or instructions are provided to the agent to treat the discovered skill descriptions as untrusted data.
  • Capability inventory: The skill executes shell commands (cd, grep, sed) and produces a structured JSON research plan that guides subsequent agent actions.
  • Sanitization: There is no evidence of sanitization, validation, or filtering of the content extracted from external skill files before it is processed by the model.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 08:03 AM
Security Audit — agent-trust-hub — research-manager