consensus
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's primary function involves sending user-provided prompts and context to external AI service providers including Google, OpenAI, and DeepSeek.\n
- Evidence:
consensus-config-example.yamlandSKILL.mddescribe the dispatch of data to these external entities.\n - Context: This behavior is fundamental to the skill's multi-model consensus purpose and is controlled by user-provided configuration and API keys.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection where instructions hidden within processed data or external model responses could influence the aggregator's synthesis.\n
- Ingestion points: The
promptandcontextparameters inSKILL.md, and the[MODEL_RESPONSES]placeholder inaggregation-review-prompt.md,aggregation-verdict-prompt.md, andaggregation-investigate-prompt.md.\n - Boundary markers: Content is separated by markdown headers (e.g.,
## Model Responses), which may not be sufficient to prevent instruction leakage from untrusted input.\n - Capability inventory: The skill uses the
consensus_querytool to interact with multiple external LLM APIs and an aggregator model.\n - Sanitization: There is no evidence of sanitization, escaping, or strict validation of the content interpolated into the aggregation templates.
Audit Metadata