gateguard
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions mandate the installation of a custom Python package named
gateguard-aivia pip. This package originates from a community source and is not associated with a verified or well-known organization. - [COMMAND_EXECUTION]: Following installation, the skill requires executing the command
gateguard init. This runs logic from the external package to modify the project environment and create configuration files like.gateguard.yml. - [REMOTE_CODE_EXECUTION]: The skill promotes the use of a JavaScript hook script (
scripts/hooks/gateguard-fact-force.js) and a custom CLI tool. Executing scripts and packages from unverified sources provides a pathway for arbitrary code execution within the agent's runtime environment. - [PROMPT_INJECTION]: The fact-forcing gates include instructions to "Quote the user's current instruction verbatim." This design is vulnerable to indirect prompt injection because malicious content in a user's instruction could be used to influence or bypass the gate's constraints.
- Ingestion points: User instructions are interpolated into the pre-action fact-gathering prompts defined in
SKILL.md. - Boundary markers: The skill lacks explicit delimiters or instructions to treat the quoted user input as untrusted data.
- Capability inventory: The skill possesses the capability to intercept and control core agent tools such as
Edit,Write, andBash. - Sanitization: There is no evidence of escaping or validating user-provided text before it is presented back to the agent context.
Audit Metadata