codebase-exploration
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [Prompt Injection] (HIGH): The skill provides a significant attack surface for Indirect Prompt Injection (Category 8) by directing the agent to ingest and analyze untrusted content from external codebases.
- Ingestion points: All file contents and directory structures accessed via
rg,fd,ls, orcat(SKILL.md, REFERENCE.md). - Boundary markers: Absent; there are no instructions to the agent to treat codebase content as data rather than instructions or to ignore embedded commands.
- Capability inventory: While the exploration tools themselves are read-only, the skill documentation explicitly integrates with high-privilege capabilities like debugging and refactoring specialists (SKILL.md).
- Sanitization: No evidence of sanitization or filtering of the ingested content.
- [Credentials Unsafe] (HIGH): The skill is optimized to locate sensitive secrets and configuration files.
- Evidence: REFERENCE.md provides specific regex and search templates for identifying
password,jwt,token,bcrypt,hash, and session management logic across the codebase. - [Command Execution] (LOW): The skill's workflow depends on the execution of shell-based utilities. If the agent does not properly sanitize inputs such as search patterns or filenames, it could be vulnerable to command injection if the repository being scanned contains maliciously crafted filenames.
Recommendations
- AI detected serious security threats
Audit Metadata