kb
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted markdown files from the
research/{topic}/raw/directory during the compilation phase and fromresearch/{topic}/wiki/queries/during the flywheel phase. - Ingestion points: Content is ingested from user-provided files in
research/{topic}/raw/(viacompile.md) and previously generated query results inresearch/{topic}/wiki/queries/. - Boundary markers: The instructions lack delimiters or explicit directives to ignore instructions contained within the source data.
- Capability inventory: The skill has access to powerful tools including
Write,Edit, andBash. - Sanitization: No sanitization or validation of the ingested content is performed before it is used to synthesize new articles or answer queries.
- [COMMAND_EXECUTION]: The skill requests the
Bashtool. Although the core instructions focus on file management and text processing, the availability of a shell allows for the execution of arbitrary commands. If an indirect prompt injection attack is successful, this tool could be used to compromise the local environment.
Audit Metadata