sf-security

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill encourages fetching current security documentation (e.g., SLAS, PCI DSS v4) via WebSearch and WebFetch. This ingestion of external, untrusted content represents a surface for indirect prompt injection where an attacker could poison search results to influence the agent's behavior.\n
  • Ingestion points: External content is brought into the agent context through the WebFetch tool after searching for guides in SKILL.md.\n
  • Boundary markers: There are no explicit boundary markers or instructions to isolate the fetched external content from the skill's own instructions, increasing the risk of the agent following embedded commands.\n
  • Capability inventory: The skill is granted access to the Write, Edit, and Bash tools, which provides a high-impact capability surface if the agent is influenced by malicious instructions in the fetched data.\n
  • Sanitization: The skill lacks mechanisms to sanitize or validate the content of the fetched external documentation before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 06:10 AM
Security Audit — agent-trust-hub — sf-security