worldmodel
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes and synthesizes substantial amounts of untrusted data from the web and external repositories.
- Ingestion points: Data enters the context through web search results, external URL fetching (WebFetch), and content from third-party OSS repositories (Phase 1).
- Boundary markers: The instructions lack explicit requirements for using delimiters or warnings to ignore instructions embedded within the harvested data during the synthesis phase.
- Capability inventory: The agent has access to web search, file system reads, and the ability to dispatch further subagents (SKILL.md).
- Sanitization: No sanitization or validation protocols are defined for the data before it is processed by the LLM for synthesis.
- [DATA_EXFILTRATION]: The skill's 'Ecosystem discovery' workflow (Phase 1, OSS channel) performs automated web searches based on entities, package names, and organizations discovered within the local codebase or internal reports. This can lead to a metadata leak where the existence or naming conventions of private projects are exposed to external search engines and web services.
- [COMMAND_EXECUTION]: The workflow utilizes broad filesystem exploration capabilities, including recursive globbing and grepping across the codebase and user-specified directories. While these are used for mapping surfaces, they represent an autonomous search across the entire available filesystem depth.
Audit Metadata