heavyskill
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's architecture creates a surface for indirect prompt injection during its multi-stage execution.
- Ingestion points: In
SKILL.md, the user-provided{query}is directly interpolated into the Stage 1 Agent prompt without sanitization. - Boundary markers: In Stage 3 (Sequential Deliberation), the agent is instructed to audit and synthesize trajectories collected in Stage 2. There are no explicit boundary markers or instructions to treat these trajectories as untrusted data, which could allow a malicious query to influence the deliberation logic.
- Capability inventory: The skill itself does not include executable code or explicit tool calls; however, the lack of tool restrictions in the metadata means a successful injection could potentially attempt to leverage platform-provided tools.
- Sanitization: No validation or escaping of the input query or the intermediate reasoning outputs is performed.
Audit Metadata