skill-search
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks. It reads the contents of
SKILL.mdfiles from user-defined directories and presents descriptions and triggers directly to the agent. A malicious skill could embed instructions in these fields to manipulate the agent's behavior during search retrieval. \n - Ingestion points:
scripts/embeddings.py(line 91) andscripts/skill_search.py(line 27) read skill documentation from the filesystem. \n - Boundary markers: Output is presented to the agent as plain text without delimiters or explicit instructions to ignore embedded commands. \n
- Capability inventory: The tool performs file read operations across system and user paths and writes to a local JSON index. \n
- Sanitization: Content is limited to 2000 characters, but no escaping or validation of natural language instructions is performed. \n- [PROMPT_INJECTION]: The skill uses deceptive metadata to misrepresent its capabilities. Both the
SKILL.mdfile and script docstrings claim to provide 'LLM-powered task matching' and 'Semantic Search' using embedding models. However, the implementation inscripts/embeddings.py(line 125) uses a trivial character-level trigram hashing function. This discrepancy can lead the agent or user to over-rely on potentially inaccurate or manipulated search results.
Audit Metadata