qa-review
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) by processing untrusted data to drive browser automation.
- Ingestion points: The skill fetches the full task description and all comments from Teamwork using the Teamwork MCP (Step 1 in
SKILL.md). - Boundary markers: None. The skill does not use delimiters or instructions to prevent the agent from following directions embedded within the Teamwork comments.
- Capability inventory: The skill uses the
CoWorktool for browser automation, including navigation, interaction, and capturing screenshots of external URLs. - Sanitization: No validation or escaping is applied to the data extracted from Teamwork before it is used to generate dynamic validation steps or identify the target URL.
- [DATA_EXFILTRATION]: The skill extracts multi-dev URLs from external task comments and uses browser automation to capture screenshots of those environments. If a malicious actor places a URL to a sensitive internal resource or a site containing private data in a Teamwork comment, the agent may navigate there and expose the content via screenshots in the chat output.
Audit Metadata