hackerone
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted external data and interpolates it into agent prompts.
- Ingestion points: Untrusted asset identifiers and program guidelines are parsed from external CSV files using
tools/csv_parser.pyor fetched from remote URLs as described inSKILL.md. - Boundary markers: Absent; the untrusted content is interpolated directly into the
Agentprompt inSKILL.mdusing only newline separators, providing no clear boundary between instructions and data. - Capability inventory: The skill framework is designed to spawn background agents and requires the creation of executable PoC scripts (
poc.py). - Sanitization: No input validation or sanitization is performed on the CSV fields or program descriptions to prevent embedded instructions from overriding the agent's behavior.
- [DATA_EXPOSURE]: The skill facilitates the discovery and storage of sensitive data (credentials, API keys, and PII) in local JSON and Markdown files (
sensitive_data_metadata.json). While this is a core functionality of a security testing tool, it represents a data exposure surface. However, the skill implements redaction rules and provides a validation tool (tools/report_validator.py) specifically to identify and sanitize this data before any external submission.
Audit Metadata