setup
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from project configuration files to drive its installation logic.
- Ingestion points: Scans various project files including package.json, pyproject.toml, requirements.txt, Cargo.toml, and others listed in SKILL.md.
- Boundary markers: Absent. The skill instructions do not provide the agent with delimiters or instructions to ignore embedded commands within the ingested files.
- Capability inventory: The agent can execute codekit CLI commands and write new skill files to the filesystem.
- Sanitization: Absent. Strings from the project files (e.g., framework names, test commands) are directly interpolated into the generated cook skill template.
- [COMMAND_EXECUTION]: The skill invokes local CLI tools (codekit skills add, codekit learn, codekit skills related) to automate the installation and configuration of the agent's environment based on the detected tech stack.
- [COMMAND_EXECUTION]: The skill dynamically assembles a new SKILL.md file by injecting project-specific details into a predefined template. While this is used for legitimate workflow customization, it involves runtime file creation based on strings extracted from untrusted project files.
Audit Metadata