techdebt
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [NO_CODE] (SAFE): The skill contains only Markdown documentation and templates. No executable Python, JavaScript, or Shell scripts are present within the provided files.
- [CREDENTIALS_UNSAFE] (SAFE): While the file
references/patterns.mdcontains example secrets likeAPI_KEY = "sk-1234567890abcdef", these are explicitly categorized as "Bad" patterns for detection purposes and are not functional credentials. - [PROMPT_INJECTION] (SAFE): No instructions designed to override agent behavior, bypass safety filters, or extract system prompts were detected.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill defines a surface for processing untrusted external data (source code) and provides high-impact capabilities like file-writing (
--fix). This presents a vulnerability surface for indirect prompt injection where an attacker could place instructions in code comments. - Ingestion points: Local source code files (Python, JS, Go, Rust, SQL).
- Boundary markers: No delimiters or "ignore instructions" warnings are present in the report template.
- Capability inventory: Shell command execution (
git blame) and file system write access (/techdebt --fix). - Sanitization: No sanitization or validation logic is described in the reference documentation.
Audit Metadata