product-tracking-model-product
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands to initialize its workspace. Evidence: 'mkdir -p .telemetry/audits' in SKILL.md.
- [PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection through the ingestion of untrusted codebase data. 1. Ingestion points: The agent is instructed to scan README.md, routes.ts, package.json, and other project files (SKILL.md). 2. Boundary markers: There are no instructions to use delimiters or ignore instructions embedded in the scanned files. 3. Capability inventory: The agent can create directories, write files to the filesystem, and interact directly with the user (SKILL.md). 4. Sanitization: The skill does not provide instructions for sanitizing or escaping the content read from the codebase before processing it.
- [DATA_EXFILTRATION]: The skill explicitly scans project manifests and configuration files that may contain sensitive metadata or environment details. Evidence: The Discovery Process in SKILL.md directs the agent to scan package.json, Gemfile, and requirements.txt to infer the tech stack and product identity. While this is part of the core functionality, it involves accessing files that often contain sensitive dependency information or hardcoded configurations.
Audit Metadata