research-manager
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs dynamic discovery of local assets by executing a shell script that iterates through a directory structure and extracts metadata from files.
- Evidence:
cd /Users/engineer/workspace/backtest/.agents/skills && for d in */; do n="${d%/}"; desc=$(grep -m1 '^description:' "$n/SKILL.md" 2>/dev/null | sed 's/^description: //'); echo "$n :: $desc"; doneinSKILL.md. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted metadata from external skill files to define its execution plan.
- Ingestion points: Processes natural-language user queries and the
descriptionfields fromSKILL.mdfiles found in the/Users/engineer/workspace/backtest/.agents/skills/directory. - Boundary markers: No delimiters or instructions are provided to the agent to treat the discovered skill descriptions as untrusted data.
- Capability inventory: The skill executes shell commands (
cd,grep,sed) and produces a structured JSON research plan that guides subsequent agent actions. - Sanitization: There is no evidence of sanitization, validation, or filtering of the content extracted from external skill files before it is processed by the model.
Audit Metadata