rules-distill
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes internal bash scripts (scan-skills.sh and scan-rules.sh) to perform inventory tasks. These scripts are bundled with the skill and are used to read local skill and rule definitions.
- [PROMPT_INJECTION]: The skill processes content from other installed skills, creating a surface for indirect prompt injection where malicious skill content could attempt to influence the rules generated. 1. Ingestion points: Reads SKILL.md files from ~/.claude/skills and project-local directories via scan-skills.sh. 2. Boundary markers: The LLM prompt uses structured Markdown headers and JSON formatting to separate instructions from input data. 3. Capability inventory: The skill has the capability to scan files and propose rule changes; however, it cannot modify rules without explicit user approval. 4. Sanitization: Data is structured using jq, and the process includes a mandatory human-in-the-loop review before any rule modifications are committed.
Audit Metadata