hacker
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes external data including defensive findings (deduped-findings.json) and web content via the agent-browser skill, creating an indirect prompt injection surface.\n
- Ingestion points: The skill ingests findings from deduped-findings.json (referenced in SKILL.md and references/autoresearch-loop.md) and web page content during the recon phase (referenced in references/playbooks/recon-web-api.md).\n
- Boundary markers: The skill instructs the agent to treat page content as untrusted data, specifically recommending the use of AGENT_BROWSER_CONTENT_BOUNDARIES=1 in SKILL.md and providing explicit warnings in references/autoresearch-loop.md to treat findings as untrusted.\n
- Capability inventory: The agent has capabilities to perform network operations through a browser, write local report artifacts, and execute shell commands for loop management.\n
- Sanitization: Instructions emphasize redacting secrets and manual review of findings, although the framework relies on the agent's adherence to instructions rather than automated sanitization of external data.\n- [COMMAND_EXECUTION]: The references/autoresearch-loop.md file includes a shell script snippet used to manage the timing of an automated research loop.\n
- Evidence: The script utilizes standard utilities such as seq, sleep, and echo to trigger cycles within the environment.\n
- Mitigation: The risk of arbitrary command injection through user-defined cycle counts or intervals is mitigated by instructions for the agent to validate input as integers and enforce a hard cap of 10 cycles.\n- [EXTERNAL_DOWNLOADS]: The skill recommends the installation of the agent-browser skill from an official repository of a well-known provider to handle browser-based tasks.
Audit Metadata