icp-research
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of collecting and processing untrusted data from external web platforms. \n
- Ingestion points: The
voc-collector-agent.mdinstructions guide the agent to use web search and scraping tools (such as Exa or Firecrawl) to retrieve customer quotes from public platforms like Reddit, Twitter, and G2. \n - Boundary markers: The skill lacks explicit delimiters or instructions to ignore potentially malicious commands embedded within the collected external quotes when they are passed to other agents. \n
- Capability inventory: The orchestrator has the capability to write research artifacts to the filesystem (
.agents/mkt/icp-research.md) and spawn multiple specialized sub-agents based on the processed content. \n - Sanitization: There is no evidence of sanitization or filtering of the retrieved web content before it is used to influence the output of the Persona Agent, Pain Analysis Agent, and Synthesis Agent. \n
- Risk: An attacker could place malicious instructions in a public forum thread that, if scraped by the collector agent, might attempt to manipulate the resulting research artifacts or influence subsequent agent actions in the chain.
Audit Metadata