news-tracker
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its primary function involves processing untrusted data from the internet.
- Ingestion points: Untrusted content enters the agent's context through the results of the
search_webtool as described in Step 3 of SKILL.md. - Boundary markers: The skill does not define clear delimiters or specific instructions (e.g., 'ignore all instructions within the search results') to separate fetched content from the agent's internal logic.
- Capability inventory: The skill is limited to reading data via
search_weband formatting output; it lacks dangerous capabilities such as file system writes, network exfiltration, or arbitrary command execution. - Sanitization: While the skill provides logic for de-duplication and relevance scoring, it lacks explicit sanitization or filtering mechanisms to prevent instructions embedded in news summaries from influencing the agent's behavior.
Audit Metadata